572495-8 : TMM may crash if it receives a malformed packet CVE-2016-5023

570716-7 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

570617-1 : HTTP parses fragmented response versions incorrectly

Component: Local Traffic Manager

Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.

Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.

Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.

Workaround:
None.

Fix:
HTTP correctly bounds the response version for other filters to parse.

538255-4 : SSL handshakes on 4200/2200 can cause TMM cores.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.

536481-4 : F5 TCP vulnerability CVE-2015-8240

533826-3 : SNMP Memory Leak on a VIPRION system.

Component: TMOS

Symptoms:
The snmpd image increases in size on a VIPRION system.

Conditions:
Run continuous snmpbulkwalk operations.

Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.

Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.

Fix:
The snmpd image no longer increases in size on a VIPRION system processor.

Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.

Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card.

The following list some examples when a TLS connection is not accelerated by the Cavium card:

* The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)

Conditions:
This occurs when the following conditions are met:
- Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command).
- That address is not directly connected.
- The matched route is a gateway pool that contains a pool member that is not reachable.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure correct routing to all destinations with reachable next hops.

Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.

520413-5 : Aberrant behavior with woodside TCP congestion control

Component: Local Traffic Manager

Symptoms:
Potential tmm core.

Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may core.

Impact:
With woodside and other necessary options, TMM may core. Without woodside, or the other necessary options, which has negative performance implications and might trigger other unexpected behaviors.

Workaround:
Switching from woodside to illinois congestion control avoids issue.

Fix:
Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core.

515995-1 : Monitor fails to update Node state when Mcpd also updates Node state

Component: Local Traffic Manager

Symptoms:
Monitor fails to update Node state when Mcpd also updates Node state

Conditions:
This is an intermittent issue that might occur as a result of a timing issue between the monitor and the Mcpd process.

Impact:
Node fails to change state.

Workaround:
bigstart restart bigd.

Fix:
This release fixes a timing issue in which a monitor failed to update Node state when Mcpd also updated Node state.

Symptoms:
In an intra-cluster environment, if persist is used, tmm might crash occasionally.

Conditions:
This is a rare crash related to persistence in a clustered configuration. It can be aggravated by using iRules containing commands that park the iRule, such as the after command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes occasionally when using persist in intra-cluster environments.

505071-6 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.

Component: TMOS

Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.

Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found.

In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.

Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.

Workaround:
None.

Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.

487808-4 : End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.

Component: Global Traffic Manager

Symptoms:
The BIG-IP Link Controller and BIG-IP GTM link cost-based and inbound link path-based load balancing features have reached End of Life (EoL).

Fix:
Link cost and inbound link path load balancing software support has reached EOL. For more information, see SOL15834: End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing, available here: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15834.html.

485833-2 : The mcpd process may leak memory when using tmsh to modify user attributes

Component: TMOS

Symptoms:
The Master Control Program Daemon (mcpd) may leak memory when you use the Traffic Management Shell (tmsh) to modify user attributes.

Note: The mcpd process is the messenger process that allows userland processes to communicate with the Traffic Management Microkernel (TMM), and the other way around.

As a result of this issue, you may encounter one or more of the following symptoms:

-- You are unable to configure the BIG-IP system.
-- You are unable to obtain statistics, or statistics may not be accurate.
-- In the /var/log/ltm file, you may observe an error message similar to the following example:
02001018:system library:fopen:Too many open files

Conditions:
This issue occurs when the following condition is met:

-- You are using the tmsh modify auth <user> command options to modify local user accounts. Some of the options include the following:
description User description.
partition-access The administrative partition which user has access.
password Set or modify the user password.
role Specifies the user role for the user account.
shell Specifies the shell to which the user has access.

Impact:
-- You cannot obtain or update the system status.
-- You cannot configure the BIG-IP system.
-- Userland processes may not be functional.

Workaround:
There is no workaround for this issue. To restore mcpd functionality, you can restart mcpd from the command line. To do so, perform the following procedure:

Impact of procedure: Restarting the mcpd process interrupts all traffic processing on the BIG-IP system. You should perform this procedure during a maintenance window.

Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

To restart the mcpd process, type the following command:
restart sys service mcpd

Symptoms:
mcpd cores during a DNS cache record query if a DNS record with an unknown type is in the cache. mcpd attempts to translate the record's type into a text string, but ends up with a NULL pointer instead.

Conditions:
A DNS record with a type unknown by mcpd must exist in the DNS cache during the query.

Impact:
mcpd cores, causing either a failover (if there is a standby unit) or an outage while mcpd restarts (if there is no standby unit).

Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.

Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96";
lcdwarn description="RAID disk failure." priority="3"
}

Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.

Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.

Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example:

./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line:

name "vs_1"
address 10.221.43.28:1545

470756-3 : snmpd cores or crashes with no logging when restarted by sod

Component: TMOS

Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.

Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.

Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.

452318-3 : Apache Commons FileUpload vulnerability CVE-2014-0050

451003-4 : SSL/TLS client certificate verification may fail due to SHA algorithms that are advertised but not supported

Component: Local Traffic Manager

Symptoms:
When using ClientSSL, client certificate authentication may fail, if client certificate authentication is set to 'request' or 'require'.

Conditions:
This occurs when the following conditions are met: -- A ClientSSL profile exists on the virtual server. -- The ClientSSL profile is configured with client certificate authentication set to 'request' or 'require.' -- The client responds with a certificate signed by one of the following affected signature algorithms: SHA256-RSA(0x0401), SHA384-RSA(0x0501), or SHA512-RSA(0x0601).

Impact:
SSL/TLS connections fail to establish for some clients on virtual servers that request or require client certificates.

Fix:
Fixed an issue with passing traffic via WOM after a failover event.

447424-3 : SSL session resumption can mistakenly use software path

Component: Local Traffic Manager

Symptoms:
Resumed SSL server-side sessions can be routed to the software encryption path because the key-size structure is not properly initialized. This causes a performance degradation when encryption hardware is available.

Conditions:
Server SSL profile and SSL resumption in play for a connection using a cipher that is allowed to be encrypted in hardware.

Impact:
Slower rate and more CPU usage due to SSL session being encrypted/decrypted in software when it is a valid hardware cipher.

Fix:
Resumed SSL server-side sessions are now correctly using hardware encryption when it is applicable, instead of always defaulting to software.

446835-2 : fastl4 tcp-handshanke-timeout

Component: Local Traffic Manager

Symptoms:
fastl4 tcp-handshanke-timeout value does not change to become the idle timeout value after TCP 3 way handshake completes.

Conditions:
This issue is transient and occurs when using a fastl4 profile. After the system returns to the TCP_CLOSED state, it will be OK.

Impact:
Instead of switching to the idle timeout value after the 3-way handshake completes, a connection can retain the tch-handshake-timeout value, which could cause it to timeout early.

Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.

Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.

430117-2 : DIAMETER can double-free data leading to unpredictable behavior

Component: Service Provider

Symptoms:
Resets on the server side of a hudchain; Unpredictable behavior. Different stack trace of core dumps.

Conditions:
Persistence was enabled and server initiate message was sent.

Impact:
V11.0.0, v11.1.0, v11.2.0-hfn

Workaround:
N/A

Fix:
A double-free condition in the Diameter profile has been fixed.

428735-1 : TACACS+ system auth and file descriptors leak

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files]. This can eventually lead to lack of access to the BIG-IP system from all but the root account.

Conditions:
Remote system authentication configured to use TACACS+. Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. Repeated automated access using iControl is the fastest route.

Impact:
If the leak is allowed to accumulate to the point that no file descriptors are available, administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Several workaround options:
1. Use a system auth method other than TACACS+.
2. Use only SSH for administrative access.
3. Restart httpd as needed.

Fix:
A TACACS+ system auth and file descriptors leak has been corrected.

425420-3 : Server-side SSL can reuse expired session IDs

Component: Local Traffic Manager

Symptoms:
Server side SSL might send a session ID that should have expired to the SSL server

Conditions:
Expiring SSL sessions

Impact:
Very minimal. This is only a problem when the cache timeout set on the server ssl profile is less than the timeout set on the SSL server.

Workaround:
None.

Fix:
Server side SSL will no longer send expired session IDs to the server.

424931-3 : Creating or copying large files may cause the csyncd service to spike CPU utilization.

Component: Local Traffic Manager

Symptoms:
Creating or copying large files may cause the csyncd service to spike CPU utilization.

As a result of this issue, you may encounter one or more of the following symptoms:

BIG-IP iHealth lists Heuristic H484968 on the Diagnostics > Identified > High screen.
CPU utilization may spike to 90-100 percent.
Using the Linux command line utility top to view the csyncd service CPU utilization shows the csyncd service using a high percentage of CPU right after you have created a large file.
For example, type the following command:

Symptoms:
GNU tar can't handle files with backslash in the filename when '--files-from' option is used. The "im" process on BIG-IP is using '--files-from' to tar files to a package. If there is a backslash is any filename, the process will fail.

Conditions:
Creating UCS files, and files in the file system contain a backslash. This can occur with TACACS remotely authenticated BIG-IP users, and there could be other scenarios that cause this.

These messages indicate errors reading one of the CPLD (Complex Programmable Logic Device) registers which are polled periodically to provide information about the internal status of BIG-IP hardware. These errors are typically intermittent, and the CPLD register reads typically succeed during the next polling interval.

Impact:
This problem will result in log messages reporting errors reading CPLD registers.
Information obtained from CPLD registers is read periodically and reported by various BIG-IP utilities. CPLD register read errors will result in temporarily incorrect or missing hardware details. If the CPLD register is read successfully during the next polling period (typically every 30 seconds), the correct information will be displayed.

Workaround:
If these errors occur intermittently and infrequently, they can be safely ignored.
If these errors occur frequently and persistently, further hardware diagnostics should be considered.

Fix:
Reduced error rate reading LOP CPLD sensors.

402976-1 : tmm core on out of memory

Component: Local Traffic Manager

Symptoms:
Tmm can crash on an out of memory condition

Conditions:
Normal operation, but tmm is heavily loaded and there is memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If this is a vCMP or VE instance, consider increasing the available memory for the instance.

395901-1 : Persisted connections will not bump pool member out of slowramp

Component: Local Traffic Manager

Symptoms:
A pool member that is getting only persisted connections might inadvertently stay in slowramp. Slowramp is removed once a connection comes in and the system determines the slowramp period has expired.

Conditions:
A pool member that is getting only persisted connections during slowramp time.

Impact:
Poolmember stays in slowramp and might reject a new connection, causing the connection to go to another pool member. Once a new connection is sent to the pool member past the slowramp period, that should bump the poolmember out of slowramp and subsequent connections should be fine.

Workaround:
None.

Fix:
The system now removes slowramp as expected for a pool member that is getting only persisted connections.

395171-1 : The BIG-IP system may monitor a gateway fail-safe pool configured for a peer BIG-IP system

Component: TMOS

Symptoms:
The BIG-IP system may monitor a gateway fail-safe pool configured for a peer BIG-IP system.

As a result of this issue, you may encounter the following symptom:

After receiving a ConfigSync operation, the BIG-IP system status will be green (available) or red (unavailable) for a gateway fail-safe pool configured to be monitored by a peer BIG-IP system.

Note: Prior to a ConfigSync operation, the BIG-IP system status will be blue (unknown) for a gateway fail-safe pool configured to be monitored by a peer BIG-IP system.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is a member of a high availability device group.
-- Each BIG-IP system in the device group is configured to monitor a unique gateway failsafe pool.
-- The BIG-IP system receives a ConfigSync operation.

When the BIG-IP system receives a ConfigSync operation from a peer BIG-IP system, the bigd process will begin monitoring all gateway fail-safe pools, even if the BIG-IP system is configured to be monitored by a peer BIG-IP system.

For example:

A pair of BIG-IP systems are configured with two gateway fail-safe pools (GWPool1 and GWPool2).
-- GWPool1 is configured to be monitored by BIG-IP-1, and GWPool2 is configured to be monitored by BIG-IP-2.
-- BIG-IP-1 performs a ConfigSync operation to BIG-IP-2.
-- BIG-IP-2 begins monitoring both pools.

Impact:
The BIG-IP system erroneously monitors a gateway fail-safe pool configured for a peer system.

Workaround:
To work around this issue, reload the configuration on the affected BIG-IP system. To do so, perform the following procedure:

Impact of workaround: None

Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

Note: If you are currently logged in to the tmsh shell, you can skip this step.

Reload the configuration by typing the following command:

load sys config

Fix:
Gateway Failsafe pool members are no longer incorrectly updated for devices that they do not belong to.

Symptoms:
If there is an existing accelerated connection on an active unit, upon failover, that connection might be dropped. This applies to hardware acceleration at SYN time, not 3WHS - established time.

Conditions:
This occurs when the following conditions are met:
-- Connection is offloaded in hardware and remains in hardware.
-- Connection was originally offloaded at TCP SYN time.
-- Upon failover to standby unit, server side traffic arrives first, and no client traffic arrives before the default handshake time expiration time.

Impact:
After failing over, the mirrored hardware acceleration connection might be dropped if no client traffic arrives before the timeout.

Workaround:
Use 3WHS establishment time offload instead.

Fix:
The first server packet after failover no longer triggers pva mirror connection to handshake timeout, so the connection is retained as expected.

386032 : Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full disables Auto-MDIX.

Component: TMOS

Symptoms:
Auto-MDIX stays enabled even when the management port settings are forced.

Conditions:
Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full.

Impact:
Disables Auto-MDIX.

Workaround:
None.

Fix:
Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full no longer disables Auto-MDIX.

384002-1 : freetype security update

Multiple flaws were found in the way FreeType handled fonts in various formats.

Conditions:
N/A

Impact:
If a specially-crafted font file was loaded by an
application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144)

If a specially-crafted font file was loaded by an application
linked against FreeType, it could cause the application to crash.
(CVE-2012-1126, CVE-2012-1127, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1137, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1143)

Workaround:
install hotfix

365219-5 : Trust upgrade fails when upgrading from version 10.x to version 11.x.★

Component: TMOS

Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log:

Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.

Impact:
Trust upgrade for version 10.x high availability configuration fails.

Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.

Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.

Symptoms:
During system startup, particularly after an upgrade or 'load sys config', the sod daemon will repeatedly log errors failing to bind() to the appliance management address to listen for network failover packets. This is caused by a race condition between the chassis management daemon programming the management port address and the failover daemon attempting to access that address.

Conditions:
The management address is configured as a device unicast address.

Fix:
The sod daemon has been modified to validate the unicast addresses against the configured management addresses and non-floating self-IPs, and retries the bind() without logging an error if a race condition occurs. The daemon now reports when it is successfully listening on each of the configured unicast addresses, and only logs bind() errors if the configured address is invalid, which is correct behavior.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 15 that are included in this release

Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.

Cumulative fix details for BIG-IP v11.2.1 Hotfix 15 that are included in this release

534630-2 : Upgrade BIND to address CVE 2015-5477

Component: TMOS

Symptoms:
See SOL https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html for complete information. BIND will issue a REQUIRE assert and exit under certain conditions. It will automatically be restarted by bigstart.

Conditions:
A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.

Impact:
DNS resolutions that are answered by the on box BIND server may be interrupted.

Workaround:
Please see F5 Solution SOL16909.

Fix:
BIND was upgraded, which addresses this vulnerability. F5 is less vulnerable than the industry rating due to system design.

530829-4 : UDP traffic sent to the host may leak memory under certain conditions.

Component: Local Traffic Manager

Symptoms:
Possible memory leak with UDP traffic.

Conditions:
When UDP traffic is sent to the host.

Impact:
If memory leak becomes large enough over time, there could be a reboot.

Symptoms:
On rare occasions systems hang due to leap-second livelock. As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP system fails to process traffic for a brief period of time. -- The BIG-IP system fails over to another host in the device group. -- Error messages similar to the following example may appear in the /var/log/daemon.log file: notice ntpd[6789]: kernel time sync enabled Error messages similar to the following example appear in the /var/log/ltm file: notice boot_marker : ---===[ MD1.2 - BIG-IP 11.3.0 Build 3158.21 ]===--- chmand[6586]: 012a0005:5: CPLD indicates prior Host CPU subsystem reset chmand[6587]: 012a0005:5: Host CPU subsystem reset - PCI reset asserted chmand[6588]: 012a0005:5: Host CPU subsystem reset caused by a Southbridge system reset chmand[6589]: 012a0004:4: Host CPU subsystem reset caused by *** Super I/O watchdog timeout ***

Conditions:
During the 24 hour window leading up to a leap second event a RedHat kernel livelock condition may occur. A a result the BIG-IP hardware watchdog will trigger a reboot to allow the system to recover. This occurs due to the Redhat kernel-based livelock condition reference by the follwoing link: https://rhn.redhat.com/errata/RHBA-2012-1198.html

Impact:
BIG-IP system will restart.

Workaround:
Once affected, running this command resets the clock and eliminates the issue: date -s "$( date )". You can read more about this issue in SOL16839: The BIG-IP system may reboot when configured to synchronize its clock with an NTP server, available here https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16839.html, and on the Redhat site, here: https://access.redhat.com/solutions/154713.

Fix:
The issue resulting from NTP inserting the leap second has been resolved.

529509-2 : CVE 2015-4620 BIND vulnerability

Component: TMOS

Symptoms:
A flaw was found in the way BIND performed DNSSEC validation.

Conditions:
Red Hat Product Security has rated this update as having Important security impact. Due to F5 architecture and design this has restricted impact and can only impacts GTM and only in a non-default configuration.

Impact:
An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620)

Impact:
A potential denial-of-service (DoS) by way of a session that uses an Elliptic Curve algorithm against a server that supports client authentication.

Workaround:

523863-3 : istats help not clear for negative increment

Component: TMOS

Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.

Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.

Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work

Workaround:
Research bash shell options for the cryptic error.

Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.

523079-4 : Merged may crash when file descriptors exhausted

Component: Local Traffic Manager

Symptoms:
The merged daemon crashes.

Conditions:
The limit on file descriptors is exceeded.

Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.

Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.

Fix:
Fixed a crash bug in Merged.

523032-2 : qemu-kvm VENOM vulnerability CVE-2015-3456

Component: TMOS

Symptoms:
A vCMP hosted guest may be able to execute code in the context of the vCMP host hypervisor.

Conditions:
An attacker with root access on a vCMP guest may be able to crash the guest instance and/or execute code in the context of the vCMP hypervisor.

Impact:
A attacker in a vCMP guest can crash the guest system and/or execute code in the context of the hypervisor.

Workaround:
None.

Fix:
Integrated fixes to resolve CVE-2015-3456.

522231-6 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned. 2) A response to the requested URL must be cached and fresh. 3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
TMM crashes when the issue occurs causing failover for a high availability group or service disruption on a standalone device or temporary load increase if the device is a member of a cluster (AAM farm, for example).

Workaround:
Install the fix.

Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.

Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.

518020-3 : Improved handling of certain HTTP types.

Component: Local Traffic Manager

Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.

Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server. If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later. F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.

Impact:
This has the potential to exhaust the number of connections at the backend.

Workaround:
Mitigations: 1) iRule that can drop the connections after a specified amount of idle time. 2) iRule to validate the request line in an iRule and fix it. 3) Tuning of profile timeouts 4) ASM prevents this issue.

Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.

517578-4 : statsd crash when failed to open stats files

Conditions:
Something like permissions, file descriptor exhaustion, etc. that could lead to an error opening stats files.

Impact:
The statsd daemon crashes leaving a core file and a gap in collecting systems stats and historical stats.

Workaround:
none

Fix:
A logic error on an error path was fixed.

513916-2 : String iStat rollup not consistent with multiple blades

Component: TMOS

Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.

Conditions:
The iStat must be of type string, and the chassis must have multiple blades.

Impact:
The value of the iStat after the merge differs on different blades.

Workaround:
Use clsh to write the string iStat value to all blades together.

Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.

513454-4 : An snmpwalk with a large configuration can take too long

Component: TMOS

Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.

Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.

511534-7 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,

Component: WebAccelerator

Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.

Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands. Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.

Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands. Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.

Workaround:
None.

Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.

508716-1 : DNS cache resolver drops chunked TCP responses

Component: Local Traffic Manager

Symptoms:
DNS cache resolver drops chunked TCP responses

Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.

Impact:
The response will be discarded, the connection dropped, and the query retried

504306-5 : https monitors might fail to re-use SSL sessions.

Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur. For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers. BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.

Impact:
iRule event is not executed.

Workaround:
none

Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.

Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.

Conditions:
Only occurs on a chassis system, and only on secondary blades.

Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.

Workaround:

Fix:
Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.

Symptoms:
If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.

Conditions:
This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.

Impact:
Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.

Workaround:
Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.

Fix:
BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger.

472148-2 : Highly fragmented SSL records can result in bad record errors on Nitrox based systems

Component: Local Traffic Manager

Symptoms:
If a highly fragmented SSL record is decrypted by a system with a Cavium Nitrox card, the system will incorrectly respond with a bad SSL record error.

Conditions:
Highly fragmented SSL records and a system with a Cavium Nitrox card.

470715 : Excessive IP fragmentation on tmm_bp vlan causes ftp data loss when long vlan name is used

Component: Local Traffic Manager

Symptoms:
When a very long vlan name (>= 16 characters including the /Common/ folder name prefix) is being used, Maximum size packet on tmm_bp vlan will exceed configured MTU size of 1582 if packet is being forwarded through MPI channel. That would causes excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it would also cause packet loss.

Conditions:
long vlan names (16 characters or longer) are being used.

Impact:
This can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it would also cause packet loss.

Symptoms:
When booting an affected release, the system will not go active and mcpd will not come up. In /var/log/ltm, an error similar to the following will be seen. err mcpd[1234]: 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2). This causes the system to have an inconsistent view of the disks and subsequent steps in the boot process fail to complete.

Conditions:
This only happens on the 11050 platform running an affected release. It occurs on boot into TMOS.

Conditions:
SIP heartbeat message, a UDP packet with double CRLF, sent by the client to the server.

Impact:
Connection might be terminated.

Workaround:
None.

Fix:
The heartbeat SIP message, which is a UDP packet with CRLF, is ignored and connection is maintained.

466486-3 : CVE-2014-0224: CCS vulnerability

Component: TMOS

Symptoms:
An early change cipher spec message could result in a man in the middle attack against OpenSSL 0.9.8 servers. The management GUI uses OpenSSL0.9.8 on 11.4.0 and 11.4.1. This patch fixes OpenSSL so that it is not vulnerable to a MITM. BIG-IP virtual servers doing TLS termination are not vulnerable to the man in the middle attack.

Conditions:
11.4.0 and 11.4.1 are only vulnerable on the management port.

Impact:
Potentially vulnerable to listed CVE.

Workaround:

Fix:
OpenSSL has been upgraded to eliminate the man in the middle attack.

465908-6 : CVE-2014-0224: behavior change

Component: Local Traffic Manager

Symptoms:
BIG-IP virtual servers doing TLS termination are not vulnerable to CVE-2014-0224. OpenSSL has made a change to disallow early change cipher spec messages. This fix imitates that behavior.

Conditions:
CCS(change-cipher-spec) is received before Client key exchange

Impact:
We should not tolerate the received wrong SSL message sequence. In this case, CCS(change-cipher-spec) is received before Client key exchange.

Workaround:
N/A

Fix:
BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.

465803-8 : CVE-2014-0221 CVE-2014-0195: DTLS flaws

Component: TMOS

Symptoms:
CVE-2014-0221 CVE-2014-0195 are OpenSSL flaws in the DTLS implementation. BIG-IP does not have any DTLS servers. BIG-IP does not by default have any DTLS clients, but some may be configured by customers. These clients might be vulnerable.

464043-6 : Integration of Firmware for the 2000 Series Blades

Conditions:
When firmware has changes that benefit platforms, it is internally released and updated in the latest version of software.

Impact:
This will improve functioning of the hardware.

Workaround:
None. This is an action item.

Fix:
Integration of Firmware for the 2000 Series Blades.

460444-5 : VIPRION B4300 BIOS version 2.03.052.0 update

Component: TMOS

Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining. 2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-2)

Conditions:
Affects VIPRION B4300 series blades.

Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely. 2. Disk Erase operations may be initiated unintentionally. (ID458683-2)

Workaround:

460428-5 : BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update

Component: TMOS

Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining. 2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-4)

Conditions:
Affects BIG-IP 2000-/4000-series appliances.

Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely. 2. Disk Erase operations may be initiated unintentionally. (ID458683-4)

Workaround:

460406-5 : VIPRION B2100-series BIOS version 1.06.043.0 update

Component: TMOS

Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining. 2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-1)

Conditions:
Affects VIPRION B2100 and B2150 blades.

Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely. 2. Disk Erase operations may be initiated unintentionally. (ID458683-1)

Workaround:

460197-4 : BIG-IP Stratos 2200s and 4200v LTM xdata memory leak

Component: Local Traffic Manager

Symptoms:
This applies only to Stratos 2200s and 4200v platforms. Resetting connections with compressed content might not perform a complete clean-up.

Conditions:
Manifests when there is a reset on the flow. The resets slowly accumulate xfrags and active_requests.

Impact:
The incomplete reset results in orphaned xfrags and active_requests growing without bound. New requests on the affected virtual server will stall.

Workaround:
none

Fix:
active_requests is updated when a flow using hardware acceleration is reset.

457934 : SSL Persistence Profile Causing High CPU Usage

Component: Local Traffic Manager

Symptoms:
Some connections through a virtual server using SSL persistence hang and cause a high CPU condition in tmm.

Conditions:
This occurs only when SSL persistence is configured as the default persistence profile, and there is a fallback profile of either source_addr or dest_addr.

Impact:
Large increase in CPU usage on the box and a percentage of SSL connections through the virtual server are delayed and eventually reset

Workaround:
None.

Fix:
SSL Persistence Profile now operates correctly, and does not cause high CPU usage.

455553-6 : ICMP PMTU handling causes multiple retransmissions

Component: Local Traffic Manager

Symptoms:
When an improperly large TCP Maximum Segment Size (MSS) triggers ICMP PMTU messages, TCP responds by resending the entire send queue with the new MSS.

Conditions:
This occurs when you configure a path with an MTU less than 1500 Bytes and attempt a file transfer with initcwnd greater than 1.

Impact:
Large amounts of duplicate retransmission.

Workaround:

Fix:
No multiple retransmission of the entire send queue when the MSS size is improperly large.

Symptoms:
While running BIG-IP on 2000-series and 4000-series appliances with compression enabled, xdata memory usage rapidly increases and can result in an out-of-memory condition and subsequent TMM core.

Conditions:
BIG-IP 2000-series and 4000-series appliances with compression enabled in an active profile.

Impact:
Performance degradation followed by out-of-memory condition and traffic outage due to TMM core.

Workaround:
n/a

Fix:
A memory leak using compression on BIG-IP 2000-series and 4000-series appliances was resolved.

Fix:
The listener ref count no longer overflows and causes a TMM core and crash.

447075-7 : CuSFP module plugged in during links-down state will cause remote link-up

Component: TMOS

Symptoms:
If a CuSFP module is plugged into a port that is in a links-down state while connected via a cable to a remote switch or other network connection, the remote switch will report a links-up state. A port on the BIG-IP or VIPRION device may be in a links-down state while BIG-IP is not in a running state, or if the network interface has been administratively disabled.

Conditions:
Issue has been primarily observed with VIPRION B2100 or B2150 blades. However, the problem could potentially occur on other VIPRION blades or BIG-IP appliances which employ a Broadcom hardware switch (i.e., most F5 hardware products). BIG-IP appliances which do NOT employ a Broadcom hardware switch include: BIG-IP 2000-/4000-series appliances.

Impact:
The remote switch may erroneously attempt to direct traffic to what is seen as an active link, which the BIG-IP or VIPRION device will not be able to process.

Workaround:
You may work around this problem by any of the following methods: 1. Unplug the cable connecting the CuSFP (Copper SFP) module to the remote network connection before plugging the CuSFP into the port on the BIG-IP or VIPRION device. 2. Wait until the port on the BIG-IP or VIPRION device is in an enabled/links-up state before plugging in the CuSFP. 3. Enable the port on the BIG-IP or VIPRION device after plugging in the CuSFP.

Fix:
A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.

443157-2 : zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db

Component: Local Traffic Manager

Symptoms:
zxfrd might crash when the zone file zxfrd.bin is deleted and zxfrd is restarted.

443098-8 : Memory leakage when Proxy SSL feature enabled

Symptoms:
When the ProxySSL feature is enabled, small amounts of memory used during connection handling is leaked. Over a long period of time, this leakage accumulates and causes memory pressure.

Conditions:
This occurs when the Proxy SSL feature is enabled.

Impact:
When this occurs, memory is leaked over time and eventually results in performance degradation and eventual traffic outage.

Workaround:
None.

Fix:
The Proxy SSL feature no longer leaks memory.

441830-12 : VPN driver installer was modified to support Windows 8.1

Component: Access Policy Manager

Symptoms:
If a user has an older VPN driver (older then - 7060.2012.0322.2004, e.g. 7050,2011,607,846 10.2.4 HF7) and is trying to update components by browser or package; The user will get an error that the modem (or other connecting device) is already in use or is not configured properly) or BSOD.

Conditions:
This may happen if the user has OS Windows 8.0 and uses BIG-IP 10.2.4, then the user upgraded Windows to 8.1 and at the same time upgraded BIG-IP to 11.5.0

Impact:
This can cause the users system to reboot.

Workaround:

Fix:
Incorrect overriding of VPN driver was causing BSOD. Old driver is now uninstalled before new one is installed.

439904-3 : Wamd crashed after command 'tmsh restart sys service mcpd'

Component: WebAccelerator

Symptoms:
Daemon wamd crashes when mcpd is not available.

Conditions:
AAM is provisioned and mpcd daemon is restarting.

Impact:
Wamd crashes producing a core.

Workaround:
This issue has no workaround at this time.

Fix:
When mcpd goes down with AAM provisioned wamd no longer crashes when it tries to communicate with mcpd.

Symptoms:
TMM will core with panic string "Request for segment from middle of queue."

Conditions:
The conditions are infrequent and not all of them are known fully. TCP is in an invalid state for that particular flow, and this flow cannot continue anymore.

Impact:
Entire tmm will core due to one flow being in this invalid state.

Workaround:
This issue has no workaround at this time.

Fix:
The ASSERTing condition has been converted to RESET that particular flow with the RST cause "Request for segment from middle of queue." This has been decided to be better for product stability as one affected flow does not core the full tmm.

Symptoms:
If client components without BZ430965 fixed are installed and then uninstalled on Windows 8.1, then the F5 Networks VPN Adapter will be uninstalled only partially. A subsequent attempt to install VPN Adapter driver on such client machine may lead to blue screen error.

Conditions:
VPN adapter not completed uninstalled

Impact:
Difficulty installing F5 VPN software on client system.

Workaround:
In order to completely uninstall VPN Adapter driver: 1) Open Device Manager. 2) In the main menu select View -> Show hidden devices. 3) Expand Network adapters. 4) Right-click on F5 Networks VPN Adapter. 5) In the popup menu select Uninstall. 6) In the next window check Delete the driver software for this device.

Symptoms:
When 2000/4000 platforms return an error condition to the TMM driver, the number of active requests are not decremented. This can cause hardware compression to stop adding jobs to the hardware queue.

Conditions:
This occurs on 2000/4000 platforms that return an error condition to the TMM driver.

Impact:
When this occurs, the system might show a drop in performance. CPU usage might report as very high, and hardware compression jobs are no longer queued.

Workaround:
None.

Fix:
In this release, the system correctly decrements active jobs counter when this error is detected. CPU no longer runs high, and jobs are assigned to the correct compression queue.

Symptoms:
BIG-IP EDGE client for Windows does not reconnect to existing BIG-IP session when connectivity to the server is lost for some period of time. When network connectivity is restored to BIG-IP server, the BIG-IP EDGE client creates a new session.

Conditions:
This occurs when using the BIG-IP EDGE client for Windows when connectivity to server is lost and then restored.

Impact:
Full reconnection is made and the previous session is not removed.

Workaround:

Fix:
EDGE Client properly reconnects when network connectivity is restored. Previously full reconnection was done in this case and the previous session was not removed.

429122-2 : istatsd has high CPU usage when segment files get corrupted

Component: TMOS

Symptoms:
If for some other reason the istats segment files became corrupted, then istatsd could use excessive CPU.

Conditions:
The istats segment file became corrupted by some other problem.

Impact:
The high CPU use by istatsd could diminish resources available to other processes causing poor responsiveness for things like tmsh or web management.

Workaround:
Stop istatsd and remove the istats segment files. Then restart istatsd to recreate the segment files. This will cause all statistics in these files to be reset.

Fix:
Even when there is corruption, istatsd will no longer use an excessive amount of CPU.

428718-3 : VIPRION SPR PIC firmware version 3.00 update

Component: TMOS

Symptoms:
1. Chassis backplane CAN bus traffic is filtered to minimize unnecessary traffic processing on devices, which improves reliability of chassis firmware updates and serial console redirection between blades (ID411726). 2. More efficient buffering and packet sizing is used for redirected serial console output (ID411724). 3. Using the AOM menu to power-on a blade which is already powered on will cause the blade to reboot (ID419637).

Impact:
1. Chassis firmware updates may fail, preventing the cluster from going on-line (ID408950). Redirected serial console output may appear incorrect. 2. Chassis firmware updates may fail, preventing the cluster from going on-line (ID408950). Redirected serial console output may appear incorrect. 3. Selecting a blade to power on/off via the AOM menu, then selecting to turn the blade on will cause the blade to reboot. There is no safe choice if the blade was selected by mistake.

Workaround:

426600-3 : tmm may loop with priority group and rate limit enabled

Component: Local Traffic Manager

Symptoms:
TMM may loop and be killed by SOD service in the end

Conditions:
rate limit and priority group enabled

Impact:
tmm will crash

Workaround:
None.

Fix:
tmm loop will be fixed.

426332-2 : Load common partition, rule_event objects in other partitions are removed

Component: TMOS

Symptoms:
Internal objects used as part of iRules in non-Common may be removed when only the Common partition is loaded. Sync may also trigger this.

Conditions:
This happens when only the Common partition is loaded ('load sys config' or 'load sys config partitions { Common }'). It does not happen when another partition is loaded individually ('load sys config partitions { p1 }') or when all partitions are loaded simultaneously ('load sys config partitions all').

Impact:
When the system is in this state, the dataplane may not run the relevant snippets.

Workaround:
Loading all partitions, instead of just Common, will work correctly. (That is, 'load sys config partitions all' will cause them to be recreated.)

Fix:
Rules and objects now appear correctly in the new partition.

424379-7 : TMM may reset when loading many FIPS keys

Component: Local Traffic Manager

Symptoms:
If BIG-IP system is configured with many FIPS keys, TMM will constantly reset.

422314-2 : Multicast IPv4 or IPv6 packets can erroneously be looped back to the transmitting SFP interface on 2000, 2200, 4000, 4200 platforms.

Component: Local Traffic Manager

Symptoms:
tcpdump will show an inbound echo of some outbound L2 multicast IP traffic on the 2.x interfaces.

Conditions:
This will only occur when transmitting IPv4 or IPv6 packets to Ethernet multicast or broadcast addresses, and only on the 2.x bank of interfaces of a BIG-IP 2000, 2200, 4000, or 4200 platform.

Impact:
This may cause an incorrect or confusing fdb entry to appear for the source MAC address if the multicast IP packet is being bridged through from one interface on the VLAN to another (IPv6 router advertisements for example). For sites using neither IPv6 nor MAC level multicast IPv4 this is unlikely to occur.

Workaround:
The fix is simple, and can be implemented by editing an init script: In /etc/init.d/stratospfinit there is a line that reads: modprobe ixgbe max_vfs=$vfs,$vfs force_rss_sriov=1,1 lacp_target_queue=1,1 >/dev/null 2>&1 replacing it with a line that reads: modprobe ixgbe max_vfs=$vfs,$vfs force_rss_sriov=1,1 lacp_target_queue=1,1 L2LBen=0,0 >/dev/null 2>&1 will fix the problem (a reboot is required after the edit).

Conditions:
This issue can occur when the sweeper is in aggressive mode and a memory allocation fails, initiating memory reaping.

Impact:
TMM crashes and restarts.

Workaround:
The customer needs to install an Engineering Hotfix with the fix for this issue.

Fix:
Memory reaping that occurs due to a failed allocation - when the system is under high memory utilization - now succeeds.

416292-7 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.

Workaround:

Fix:
Ensured that the active CMI connection is destroyed when mcpd is shutting down.

415616-1 : qkview may generate error messages for very long file names

Component: TMOS

Symptoms:
File names that contain more than 100 characters in the full pathname cannot be added to qkview files. If such filenames are encountered by qkview, they will be discarded. This will be indicated in both the meta.xml file and the qkview_run.data file.

Workaround:
Run qkview manually, and observe errors output to stderr. Copy these files manually to examine their contents.

413236-2 : SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more

Component: Local Traffic Manager

Symptoms:
SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more.

Conditions:
This occurs with Client SSL profile name containing 32 characters or more.

Impact:
A full SSL handshake is executed rather than an optimized handshake, so that SSL resumption does not work. When this occurs, SSL session IDs might not be reused appropriately, and new SSL session IDs might be presented during the SSL handshake, while the previous session ID is still valid.

Workaround:
Change SSL profile with name length of fewer than 32 bytes. Note: The 32-character limit includes the profile name and the characters that comprise the folder path (partition and folder). For example, the following profile name is 34 characters in length: /Common/client-ssl-profile-test123. For more information, SOL14372: SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more.

Fix:
The system now successfully resumes SSL sessions when a Client SSL profile name is 32 characters or more.

412089-1 : WAM policy matching error when multiple regex rules match

Component: WebAccelerator

Symptoms:
If multiple regular-expressions were evaluated in the decision to choose a WAM policy node, the incorrect node (or no node) might be chosen.

406224-1 : TMM may crash on standby with mirroring enabled

Symptoms:
TMM may occasionally crash after switching from standby to active when mirroring is enabled.

Conditions:
HA pair configuration and a virtual with mirroring enabled.

Impact:
TMM may crash.

Workaround:
Disable mirroring.

Fix:
tmm no longer crashes in rare instance of moving from standby to active

405752-4 : Monitors sourced from specific source ports can fail

Component: TMOS

Symptoms:
Monitors using TCP transport; when sourced from ports 1097 (on some platforms), 1098, 1099 and 3306, will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.

Conditions:
Use one or more monitors which rely upon TCP as a transport. Port 1097 will be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 1100, and 11050 platforms.

Symptoms:
If Access Policy contains AD Auth/Query agent and when user tries to login to bigip, it may request to change password if the password is expired. the password change operation fails when port 464 is not available using UDP protocol.

Impact:
Potential impacts include: - IPv6 packets could be transmitted with checksums of 0, instead of the expected complement (all F's) as per RFC 768. - HSB lockups and resulting failover. - HSB lockups followed by hard system hang upon reboot.

Workaround:

Fix:
HSB v2.1.43.1 Bitstream release for BIG-IP 8900 and 8950 appliances contains the following fixes: - IPv6 packets are no longer transmitted with checksums of 0, and are instead transmitted with the expected complement (all F's) as per RFC 768. - Prevents HSB lockup and system hang on reboot with rare malformed IPv4 packets. - Improved arbitration of datapath shared between PDEs (Packet DMA Engines) to prevent rare HSB lockups.

388751-1 : With the wrong calculation of iov buffers from xbuf, TMM can crash.

Component: WebAccelerator

Symptoms:
There is a bug in the xbuf_xcur_to_iov where the first call to find out how many iovec is needed returns more than necessary. Since we use the return value to allocate iov arrays, we end up allocating more than we need. And the parser is using the same value to walk through the iovec array. However, in this case, portion of the iovec array is not used, and thus properly initialized and crashes tmm.

Symptoms:
The BIG-IP system may not apply the nexthop iRule command when used in an iRule with other Layer 3 iRule commands. If an iRule performs the 'nexthop' command, but a destination IP address is chosen by pool or node selection, the destination VLAN and MAC address will be a route to the selected destination IP instead of the requested nexthop.

Conditions:
This issue occurs when all of the following conditions are met: -- One or more iRules associated with a virtual server uses both the nexthop iRule command and one of the following Layer 3 iRule commands: - pool, - node, - forward. Both the nexthop command and Layer 3 load balancing iRule command are triggered in the same connection. This issue may also occur when the nexthop and Layer 3 forwarding commands are in separate rules associated with the same virtual server.

Impact:
The connection may be forwarded to the incorrect node or pool. As a result of this issue, it might appear that the nexthop command is ignored, with the other Layer 3 load balancing command taking precedence.

Workaround:
None. For more information, see SOL14196: The BIG-IP system may not apply the nexthop iRule command when used in an iRule with other Layer 3 iRule commands, available here: http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14196.html.

Fix:
The iRule 'nexthop' command now updates only 'nexthop' for the connection, and no longer overwrites the selected remote node's address.

383853-2 : Added argument "eom" as valid for TCP::notify

Component: Local Traffic Manager

Symptoms:
Need to signal end of message to TCP proxy asynchronously in CLIENT_DATA/SERVER_DATA events

Conditions:
All

Impact:
Can now signal TCP::release when done parsing messages in CLIENT_DATA

Workaround:
None

Fix:
Added synchronous event to signal end of message from RCP rule event to prevent performance degradation when traffic is returned to the wrong source port.

381512 : Bringing system down with active tcpdump causes tmm to core

Component: Local Traffic Manager

Symptoms:
If the system is going down while an active tcpdump session is ongoing, it causes tmm to core.

Conditions:
Having an active tcpdump session while the system is going down.

369460-2 : Ability to delete SNMP configuration

Component: TMOS

Symptoms:
Before: SNMP default configuration used to be in /defaults/config_base.conf. User can modify it but can't delete it. After: SNMP default configuration is in /config/bigip_base.conf. User can modify and delete it.

Conditions:
If user deletes default SNMP access control configuration and run "tmsh load sys config" or reboot the box, the deleted configuration will come back.

Impact:
User is not able to delete default SNMP access control configuration.

Workaround:

Fix:
After the fix. SNMP default configuration is in /config/bigip_base.conf. User can modify and delete it. Loading will be consistent with user's change.

Symptoms:
A previously untruncated SNMP OID may now become truncated. For example, the following gtmRegItem OID .1.3.6.1.4.1.3375.2.3.7.2.2.1.2.2.23.47.67.111.109.109.111.110.47.83.104.97.110.103.104.97.105.84.101.108.101.99.111.109.0.0.12.53.56.46.51.50.46.48.46.48.47.49.51 can become truncated as .1.3.6.1.4.1.3375.2.3.7.2.2.1.2.2.17.47.67.111.109.109.111.110.47.83.104.97.110.103.104.97.105.84.64.1.0.0.12.53.56.46.51.50.46.48.46.48.47.49.51 The following part from the original OID 101.108.101.99.111.109 is replaced by 64.1 in the truncated OID. During the truncation, 64 (ampersand) is followed by the internally assigned attribute index, which is 1 in the above case.

Conditions:
Configuring long in length SNMP LongDisplayString objects, which are part of the INDEX.

Impact:
The working untruncated SNMP OID that is being monitored may change and become truncated.

Workaround:
Mitigation: configure shorter in length SNMP LongDisplayString objects, which are part of the INDEX, to prevent the premature truncation. For example, ltmPoolMember has the following INDEX: INDEX { ltmPoolMemberPoolName, ltmPoolMemberNodeName, ltmPoolMemberPort } ltmPoolMemberPoolName and ltmPoolMemberPoolName are of LongDisplayString type, so they should be configured with the shorter length.

342013-3 : TCP filter doesn't send keepalives in FIN_WAIT_2

Component: Local Traffic Manager

Symptoms:
TCP filter doesn not send keepalives in FIN_WAIT_2 (half close state). This may result in connections to remain open when they should be closed.

Conditions:
The problem is the BIG-IP stops sending keepalives once the connection enters half close state, and the server sends keep-alives. This ends up with us keeping connections open indefinitely if the client disappears, or a firewall drops its flow entry, etc. It is never sweeped as the server keepalives reset the idle timeout â€“ one customer case has connections open for over 90 days not passing data!

Impact:
Possible open idle never ending connections.

Workaround:

Fix:
This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.

Symptoms:
If a OneConnect profile with a narrow source address mask (e.g. 255.255.255.255) is applied to a virtual with a SNAT pool, existing, idle, server connection can NOT be reused (because of the SNATted source address and narrow source address mask). New connections, therefore, will be created. Effectively, the pool member connection limits will be interpreted as applying to active connections, with in-flight (HTTP) requests or responses.

Conditions:
This can happen when OneConnect is used with SNAT pools and narrow OneConnect source address masks.

Impact:
More TCP connections to pool members than expected will occur.

Workaround:
Relax the OneConnect source address mask width.

Fix:
This fix introduces a "limit-type" OneConnect profile option (currently supported only via TMSH and iControl/REST -- GUI and iControl/SOAP support in progress). The limit-type can take on one of three values: none: behaviour is as before, "connections" are counted toward the pool member limit based on whether they have active, in-flight, requests or responses. strict: a hard TCP pool member connection limit is enforced. No attempt will be made to try to find a connection to reuse if at the TCP connection limit, EVEN IF ONE MIGHT BE AVAILABLE. This mode of operation is not recommended (though some customers find it useful with short idle connection timeouts). idle: if a client connection is accepted and we are at or above the TCP connection limit, a random idle connection will be dropped.

Symptoms:
With packet filter enabled with a default action of discard/reject, you might encounter the following symptoms: -- Packet captures show that the BIG-IP system is receiving return traffic for one or more connections, but failing to forward those packets. -- Some connections may fail. DNS traffic, or traffic with IP fragments, are more likely to fail due to how TMM handles connections. -- If logging is enabled for the affected packet filter rule, many entries similar to the following example are logged to the /var/log/pktfilter file: 'local/tmm notice tmm[4835]: 01250004:5: test_pf_rule (56687): reject on external, len: 98 [IPv4 84 192.168.1.1 -- 192.168.1.2 ICMP 0:0]'

Conditions:
After configuring packet filters, you may notice that the BIG-IP system is incorrectly dropping the return packets of certain connections. This issue occurs when all of the following conditions are met: -- The BIG-IP platform and software version support Clustered Microprocessing (CMP). -- CMP is enabled globally. -- CMP is enabled for the specific traffic-handling object. -- Packet filtering is enabled with the Filter established connections option disabled (this is the default setting).

Impact:
The BIG-IP system incorrectly drops return packets, which may cause your applications to fail or work intermittently.

Workaround:
To work around this issue, you can either define additional packet filter rules that explicitly allow return traffic, or disable CMP for the affected traffic-handling object. If the object does not allow CMP to be disabled (for example a SNAT), you can first replace it with a virtual server. For more information, see SOL12831: Using packet filters in conjunction with CMP may cause intermittent drops on return traffic, available here" http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12831.html.

225443-3 : gtmparse fails to load if you add unsupported SIP monitor parameters to the config

Component: Global Traffic Manager

Symptoms:
Customers could either manually or via tmsh add unsupported properties to a GTM SIP monitor. Examples of properties that are supported by LTM SIP monitor but not GTM SIP monitor are "headers" and "filter neg". If these are added to a GTM SIP monitor definition in wideip.conf, gtmparse will fail to load the configuration.

Conditions:
Unsupported GTM SIP monitor properties like "headers" and "filter neg" are added either manually or via tmsh to wideip.conf and then customer runs gtmparse to load the config and/or the config is gtm sync'd to another box and fails to load there.

Impact:
Gtmparse will fail to load the configuration.

Workaround:
none

Fix:
Gtmparse will now successfully load a configuration that contains GTM SIP monitors that include the following properties: "headers" and "filter neg". Please note that if a single box in a GTM sync group is upgraded to this hotfix version and the "headers" or "filter neg" gtm sip monitor options are used, all of the boxes in the sync group must be upgraded to this version as well in order for the config to sync successfully between boxes in a sync group.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 14 that are included in this release

Cumulative fixes from BIG-IP v11.2.1 Hotfix 13 that are included in this release

TMOS Fixes

ID Number

Description

485012-2

CVE-2014-3566: A new command has been added to TMSH that allows the administrator to configure the SSL protocol version that is supported on the management interface. Use this command to enable or disable support for specific protocol versions. For example, the following command will disable SSL protocol versions 2 and 3, leaving TLS versions 1, 1.1 and 1.2 enabled: tmsh modify sys httpd { ssl-protocol "all -SSLv2 -SSLv3" }

486758

Resolved installation error when management port doesn't come up and causes the BIG-IP to be inaccessible to the automation system that required manual intervention.

Local Traffic Manager Fixes

ID Number

Description

450804-6

Improved TLS finish messages.

451218-7

CVE-2014-8730: Corrected Nitrox TLS padding.

454465-5

CVE-2014-8730: Corrected TMM TLS padding

485188-6

When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 12 that are included in this release

TMOS Fixes

ID Number

Description

450058-6

Added changes from RHEL6.4 kernel sources prevent possible lockup conditions by yielding to other tasks waiting for the swap I/O requests to complete.

For a virtual with a TCP profile and using a pool with queue-on-connection-limit enabled, if the client begins to close a queued connection, BIGIP now immediately resets that connection.

389620-1

Resolved potential core from race condition in ssly from timing mis-match of messages.

391039-1

FTP connection now mirrored successfully

392281-1

The Acct-Session-Id (type 44) attribute is present in the RADIUS accounting request packet.

393183-2

ARL hash table is rewritten to be an open hash table with chained list and hash collision will not result in arl entry loss any more.

394789-1

On a VLAN with VLAN failsafe configured, the system now prevents the currently active vCMP guest from sending itself a probe to which it responds (which might have prevented the VLAN failsafe from triggering).

395460-1

The Address Resolution Lookup (ARL) table is no longer susceptible to collisions.

Pool members are properly counted when using TCP connection queueing and OneConnect together.

402801-1

This issue has been fixed to handle packets with an MTU size larger than 1500 to avoid unnecessary fragmentation that may lead to data corruption.

404116-1

A newly enabled pool member is now immediately used when the pool has queued connections to the other pool members.

404840-1

TCP connections that are queued due to unavailable pool members now complete successfully once pool member availability/capacity is restored.

405232-1

Fixed bug to improve system quality.

405237-6

pfmand daemon now generates the appropriate messages.

406666-2

Corrected TCP simultaneous close response to match RFC793.

407576-1

Fixed bug to improve system quality.

411101-1

Resolved an issue found in F5 testing for ability to tcpdump mgmt_bp_* and loopback. Also added vm_tap_* for guests.

411408-2

Fixed a potential TMM crash when the OneConnect profile is enabled.

414211-1

TMM will no longer send ARP or neighbor advertisements for proxied hosts to the same child VLAN that a request was received on.

417553-1

Fixed bug to improve system quality.

421145-3

Systems with many hundreds of active server-side flows on the affected thread no longer result in port exhaustion.

421768-3

Fixed a TMM SIGSEGV crash that can occur on BIG-IP 4000-series or 2000-series platforms that are low on memory and processing heavy amounts of compression and/or encrypted traffic.

421964-1

BIG-IP system now correctly aggregates an LACP-enabled link.

422897-4

FTP will work in case of port translation is needed.

423705-2

The SIP monitor will now internally retransmit a request after 0.5, 1, 2, and 4 seconds.

430746-2

iRule crash bug fixed.

436634-1

tmm no longer crashes if the profile changes and the virtual server is deleted immediately afterward.

437398-1

When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIG-IP system alters the response (e.g., DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).

438081-1

Bug fixed in zxfrd to continue large response processing.

439036-1

Multiple unnecessary restarts of zxfrd on startup prevented with use of swallow tag not found error for zxfrd.

439712-3

Single SSL transfers will perform much better on 4200/2200.

440786-4

Now when bad config occurs in virtual server, tmm won't crash, instead, such a virtual will not be responsive.

441048-1

The DNS Express Zone Resource Record counts now display accurate numbers when an AXFR answer is returned for an IXFR query.

444710-1

Out-of-order segments received before 3WHS is completed are no longer dropped.

447091-4

Ensured that packet filters with orders greater than 32767 are able to be deleted.

448327-2

Prevent memory leak when iRule suspends or aborts an DNS command.

448846-3

A crash bug related to HSM and memory exhaustion has been fixed.

450713-6

Out-of-order segments received after FIN will be forwarded as expected.

452232-1

iRule no longer uses stale qname.

454018-1

The nexthop ref-count is thoroughly examined and corrected.

454463-6

A memory leak when executing a suspended DNS iRule many times has been fixed.

456942-3

After the fix, if the domain name in the iRule is invalid or memory allocation failure happens when modifying the RR owner name using the DNS:name iRule, TMM will not crash.

458597-1

Now there is no memory leak when transfer a zone to zxfrd.

465866-1

The current tag file only indexes the sources for tmm. This makes it difficult when debugging customer issues that reference code within libraries, primary tmjail (xbuf/xfrags) and tmm_tcl. The fix is simple: index libraries that are commonly used, along with tmm.

428864

Lowering the virtual server connection limit now works, even when traffic is already being processed

450087

Unacknowledged TCP segments are re-transmitted upon re-opening of window.

452317

ARP entries reported as resolved will be removed upon expiration if they cannot be refreshed (i.e. resolved).

452482

Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).

454646

Fixed bug to improve system quality.

472680

Fixed regression found by internal F5 testing before release.

Global Traffic Manager Fixes

ID Number

Description

387999-1

Fixed a code defect which causes TMM memory usage growth over time in a GTM box if the GTM is configured with persistence and/or an LB method that uses LDNS path metrics.

390086-1

The ZoneRunner GUI View moving functionality had a bug in that the View pulldown menu was empty. This bug has been resolved.

423317-3

Link status for GTM server and virtual server IPs should work properly now after a config load.

430200-1

When an explicit link is changed by a user on a server or virtual server configuration, the updated links should apply immediately.

437025-1

Very large configs will no longer cause big3d to be Aborted.

442980-1

All pool members returned now have their statistics increased.

Application Security Manager Fixes

ID Number

Description

225123-1

Non-latin characters in requests that were always presented correctly in the Configuration utility are now also presented correctly in the exported requests PDF document.

421452-3

We improved the Policy Builder's performance of processing a long list of Extraction URLs.

433407-2

Allow Base64 Import/Export of Policies and Signature files.

436924-4

We added the internal parameter "dont_norm_high_ascii". If the value is set to 0 (the default value), the system removes high ASCII bytes as part of the normalization process. If the value is set to 1, the system leaves and does not remove high ASCII bytes. Consider setting this parameter to 1 if your web application uses non-English encoding where high ASCII bytes are legal. Removing these bytes may lead to false positive detection of attack signatures when the remaining bytes exactly compose an attack signature.

438809-3

To improve brute force mitigation, we made the following changes: -We added a new internal parameter: bf_num_sec_per_value. This defines how many seconds is a single measure unit for a failed login. For example, if you want to configure 7 failed logins per 5 seconds, in the Configuration utility configure "7" as the threshold value (the "Failed Login Attempts Rate reached" setting in the Detection Criteria area of the Brute Force Protection Configuration screen), and from the command line configure "5" as the value of this internal parameter. If this value is configured, the system will detect an attack only by the threshold (and not by the increase). If this value is configured, all traffic from suspicious IP addresses are blocked. The default value for the internal parameter is 1 second. -In the Configuration utility, we removed the validation for all the threshold and minimal values. You can put now very low values such as 1 or 2 in the detection and suspicious criteria.

445508-5

We optimized the memory usage among long requests in conditioning to various platforms. We introduced a new internal parameter: long_request_mem_percentage. This parameter defines the memory percentage for long requests. The default is 10%. Upon upgrading to version 11.6, we discard the old internal parameter 'max_concurrent_long_request' in favor of the new internal parameter 'long_request_mem_percentage'.

447319-1

Due to the fact that our PDF generating mechanism does not support all character encodings, you now have the option of exporting Requests and Event Correlation as an HTML file, or as a PDF file.

447331-1

Improved handling of potential memories issues found in F5 testing in multiple locations when working with umem.

447489-1

Resolved potential crash found by F5 internal testing.

464371

On the Charts screen, selecting to view statistics from "Last Month" will now only display data from the last 30 days.

Access Policy Manager Fixes

ID Number

Description

390462-4

Visual policy editor now supports Internet Explorer 10 and 11.

397958-1

These logs (referer_log and agent_log) under the path /var/log/httpd/ are now being rotated periodically under the control of logrotate.

400433-6

Daemons (apd/apmd) are more robust.

416076-2

Applying Access Policy completes two steps now.

417751-2

hex encoded HTML entities are decoded at client side before url rewriting.

420736-2

[Mac][Linux]Set 100Mbps speed of PPPD instead of 9.60 Kbps.

423430-1

Now valid host chars from header 'Host:' until 1st invalid character are used.

424253-5

BIG-IP APM changes required for Windows 8.1 support.

424357-3

Resolved rare case when URI were not properly percent decoded.

424587-7

A SharePoint 2013 homepage can now successfully render in Internet Explorer 11 when it runs through APM content rewrite.

429286-4

Added test for History object into F5_Invoke_go(obj,url).

430330-2

Swap functionality is restored

430833-2

Now Network Access client proxy settings are correctly applied on Windows German with IE10.

432784-13

Clean up the memory buffers that store sensitive information immediately after usage.

433605-4

At the end of an APM network access session, the route is now restored for an interface that has a gateway and IP address on different subnets, provided that the gateway and IP address have not changed during the session.

433982-3

Detection of Internet Explorer is improved in APM Portal Access.

435329-2

Layered virtual servers are now assigned the correct IP addresses, and no longer conflict or interfere with each other.

435552-1

Now Java applets correctly work when client proxy is configured for Network Access connection.

Now Java RDP and Java App Tunnels work without showing a security warning.

440792-1

Client proxy settings specified in a Network Access resource are applied without an occasional miss now.

443139-5

Session variables have been made available during the ACCESS_SESSION_CLOSED event. As a side effect, session variables are still available even after issuing the "ACCESS::session remove" command, because the actual removal is deferred until after the current iRule completes. However, it is considered an error to access that data outside of the ACCESS_SESSION_CLOSED event.

445970-6

[Java][Mac][NA][EPS] NA and EPS auto installation is now working with Java 7 update 51

450845-6

Under logging stress, logd no longer writes duplicate fd errors in the log.

453164-1

Routes are restored after disconnecting from the Network Access connection.

454550-1

Proxy auto configuration now works with Internet Explorer when a URL cannot be resolved on a client.

458211-7

The EAM module now continues to function correctly when the size of a cookie in the HTTP request is greater than 4095.

449793

Force restarting edge client when new epsec build is installed on BIG-IP.

Service Provider Fixes

ID Number

Description

409675-1

Set error code appropriately when checking for SIP/1.0

420588-1

SIP ingress queue length was 16 and is now 512. TMOS v11.3 and later uses the larger buffer size.

The mblb profile's egress settings could control the egress pending Q size and prevents it from growing to a size that impacts performance of other connections.

431635-1

SIP connections with MBLB+OneConnect are no longer being terminated upon failure to send/connect to the client.

433665-1

The reference counting is shared between the proxy and the filter. This prevents the message from being released by the filter since the proxy holds the reference to the SIP message.

450001-1

Flow control in the SIPP filter no longer blocks flow improperly.

450019-1

When you use the LB::prime pool command, the system tries to flush the queue, but if there is a server side congestion the messages do not get processed. However, if there is no LB::prime, the queue is not flushed.

Global Traffic Manager Fixes

ID Number

Description

386747-1

The search should now function properly

Cumulative fixes from BIG-IP v11.2.1 Hotfix 10 that are included in this release

Read pluggable module media ability at module detect time. This fixes the behaviour where this info was incorrectly read and cached prior to module probing and caused CuSFP to fail auto-negotiating to 10/100 speeds.

Host based traffic is now egressed out of the same tmm instance that it will ingress when destination IP address cmp hash algorithm is enabled for a vlan.

387679

Disk monitor now correctly monitors the root filesystem.

409991

An internal process to handle firmware installation into Engineering hotfixes was improved.

412642

When the configuration of the floating management is handled internally, wipe out all other mgmt ip addresses and reprogram the floating ip as primary.

416659

Device sync has been fixed in TMOS 11.4.0 to appropriately fix FIPS key handles after each sync operation.

420188

This release corrects the issue in which mcpd failed to synchronize a device group and logged the message indicating that the sync for the device group was already in progress to a different device. In this release, the system does not block a load when another load is already in progress.

424173

Network device configuration no longer cause some of the directories under /sys/class/net to become unreadable.

427071

Resolved issue preventing GUI from displaying traffic selector list.

427342

If you filter by the Status column under Local Traffic > DNS Express Zones > DNS Express Zone List, the page now correctly renders without error.

428706

False positive messages warning of 100% CPU use have been corrected.

431160

Fixed divide by zero kernel panic.

437739

TMOS now monitors all tmms for looping/locked on a Centaur/Victoria2 BIGIP.

Local Traffic Manager Fixes

ID Number

Description

374792-2

Added the global DB variable ARP.ReapTimeout, analogous to IPv6.Nbr.ReapTimeout, to control expiration of ARP table entries. Note the default value remains the current 20 seconds, which is substantially smaller than the IPv6 default of 3600 seconds.

377421-3

Fixed an issue whereby persistence records who are subject to matching across virtual servers could cause tmm to reset the traffic.

422800-4

F5 OPT-0011-00 1Gb LX fiber SFPs are now enabled successfully when inserted into an SFP port in a BIG-IP 2000-/4000-series appliance.

374553

Proxy SSL now supports TLS 1.1 and TLS 1.2 handshakes.

382682

Mid-stream SSL renegotiation now functions correctly for Virtual Servers with clientssl and serverssl profiles that have Proxy SSL enabled.

391440

FIPS certificates can now be viewed correctly on a sync'ed pair device.

410051

This issue is not a memory leak, but an error in how the memory stats are incremented/decremented. There are two different mechanisms that can be used for allocating/freeing memory, one which increments/decrements the stats and another which doesn't. This type of memory (magazine cache) used both mechanisms, which caused the stats to be incremented on an allocation and not decremented when freed. It is only safe to choose one mechanism and always use that same mechanism for allocating/freeing memory, which was the fix for this issue.

410368

This fix allows all 1.x ports on the 2x00 and 4x00 platforms to be enabled and disabled separately without impacting other ports.

410680

The DNSSEC hash algorithm will be changed from SHA-256 to SHA-1.

413213

CPU usage is no longer adversely affected when HTTP cookie encryption is used.

418781

The TMM has been fixed to delay linking child route-domains until all the RD's are loaded.

420200

More types of DNS messages are now passed through the BIG-IP system, so that, for example, the DNS_UPDATE response (which is a valid header-only DNS message) is correctly passed through without processing.

420941

A potential TMM crash in low-resource situations with persistence cookies no longer occurs.

424040

TMM no longer restarts on assertion "tunnel is on different tmm".

425580

By setting the confg.allow.rfc3927 database variable to "enable," addresses in the 169.254.0.0/16 range can be configured on a BIG-IP.

425921

Compression on the 4200v platforms now behave properly in these cases.

425953

The commit ID is now synchronized to secondary blades of a chassis; a sync will not be required if a different blade becomes primary.

427012

BIGIP no longer truncates DNS over TCP; nor does it send more than 512 bytes over UDP when edns0 is not present.

427607

The fix is to modify the polling behavior in the quickassist driver to allow more efficient handling of hardware compression requests.

427972

Unrecognized or non-standard types are ignored for the purpose of stats collection.

428150

The fix is to include the latest version of the quickassist SDK to resolve dependencies between the quickassist driver and quickassist libraries.

431602

TMM now switches over gracefully during failover when there is a rate shaper profile in use.

431914

The v1.1 cave creek firmware allows for compressed streams greater than 4 gigabytes. This addresses the issue where requests for file download (with compression) resulted in a reset when the compressed stream exceeded 4G in size.

434336

Resolved rare condition found in F5 testing that could case a core.

Global Traffic Manager Fixes

ID Number

Description

384629

GTM configuration synchronization will now exit gracefully upon failure.

390576

Fixed a code defect which causes GTM to mark certain GTM virtuals hosted on LTM servers to be marked DOWN although they are actually UP.

Big3d no longer restarts in certain circumstances when retrying a connection to mcpd, and no longer produces a segmentation fault.

426957

Attempting to create a zone using the ZoneRunner GUI using the "Transfer From Server" option now works correctly.

429127

Changes in the DNS Zone Files are now properly synchronized between peer GTM group members.

431157

GTM now correctly include all information necessary for the monitor to make the correct determination of status.

433358

The Active member of the HA Link Controller pair will not display the correct stats and the will apply the correct traffic based limits.

Application Security Manager Fixes

ID Number

Description

433418-4

After updating the GeoIP database (see SOL11176) and restarting the ASM bd daemon, the bd daemon no longer fails to read the system's GeoIP files (/shared/GeoIP/).

366861

We fixed an issue that sometimes caused the Enforcer's XML parser to crash.

405316

We introduced two internal parameters in order to enable users to control the time it takes for the remote logger to try and re-establish a connection to the external syslog server. This is in order to prevent the remote logger from delaying client requests if the external Syslog server is unreachable. The new parameters are the following: - remote_logger_reconnect_timeout (default is 5 seconds) - remote_logger_reconnect_max_failed_messages (default is 3 messages)

423009

The Enforcer no longer crashes upon startup if remote logging for ASM is assigned to hundreds of virtual servers.

426425

We fixed a scenario where under certain circumstances, part of a request that is blocked by ASM appeared in the response to a subsequent non-blocked response.

427147

We fixed an issue that sometimes caused the Enforcer's XML parser to crash.

428327

We fixed an issue that happened rarely, where the Enforcer crashed after connecting and disconnecting VIPRION blades due to memory corruption.

Access Policy Manager Fixes

ID Number

Description

424244-1

Client initiated form based SSO no longer fails to replace password token in rare cases when using Internet Explorer.

429661-1

Fixed issue when window.XMLHttpRequest overriden by web-application code was used for internal needs of portal access instead of real XMLHttpRequest.

381486

Information about session length, connection timeout and idle time is added to BIG-IP Edge Client. Information about used tunnel type, session length, idle time and session timeout is added to web browsers.

382166

Session timeout issue with internal F5_ST cookie was fixed, namely if proxy is used and if a proxy follows RFC 6265, then F5_ST cookie was corrupted.

384311

Previously, after establishing and closing Network Access connection with the option Force all traffic through tunnel enabled and the option Allow Local Subnet disable the client machine become unreachable from other hosts. Now the client machine remains reachable.

384391

Now one Network Access resource can be launched automatically right after user login.

385460

Now the rules for determining when a request with a hostname should be sent via proxy configured in Network Access resource are as follows: 1) if the hostname matches DNS Address Space the request is sent via proxy, 2) if any IP address of the resolved hostname matches IP LAN Address Space the request is sent via proxy. Also added special handling for IPv4 prefix "0.0.0.0/0" and IPv6 prefix "::/0" which are not recognized by isInNetEx.

A Windows RT branch is added to the "Client OS" action in APM Access Policy.

430404

Fixed issue where Firefox can freeze at cookies transport between client and APM.

430565

manifest file version updated for google chrome plugins.

430669

The issue where Internet Explorer 11 did not always allow access to "window.opener" is fixed.

430965

Resolved issue where Windows 8.1 SetupDiGetDeviceRegistryProperty function returned hardware IDs with spaces replaced with underscores, to allow VPN driver to be uninstalled. This addresses issues with the VPN driver update.

Fix the communication problem between local and remote endpoints in WAN optimisation setup. The problem exists only then multiblade chasse presents on both sides of the WAN communication. Problem may be not visible without HA setup (Active/Standby boxes).

Cumulative fixes from BIG-IP v11.2.1 Hotfix 9 that are included in this release

TMOS Fixes

ID Number

Description

426341

BIND has been updated to address CVE-2013-4854.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 8 that are included in this release

TMOS Fixes

ID Number

Description

391843-8

Deleting and re-creating File Objects (keys, certificates, iFiles, etc) with the same name no longer causes the new version of the file to fail to synchronize to peers during config-sync operations.

406929-2

We now capture alerts and the new primary sends the alerts upon going to primary.

411151-2

1) Detect tunnel loops due to misconfiguration and abort transmission if detected. 2) Set EtherIP tunnel overhead to zero. This will allow encapsulation of packets with lengths less than or equal the MTU size of the underyling interface

Fixed corner-case of file objects where the contents were not updated appropriately.

362619

A memory leak in real-time statistics (rtstats) has been fixed.

387361

The system now correctly syncs status after device reboot.

391584

This Machine Check Exception is resolved by HSB bitstream v1.4.3.0, which is included in the following BIG-IP versions and later: BIG-IP v11.2.1 HF8 BIG-IP v11.3.0

396261

syncing is now more robust in the case of specific monitor instances that match the pool monitor rule.

397939

When a 4200v box is powered up, the system no longer posts a false negative, power-on event message. Also, messages reporting a system power-supply event now correctly identify the appropriate power supply as the source of the report.

This problem occurs infrequently on VIPRION B4300 blades. It is possible that this problem may also occur on VIPRION B4100 and B4200 blades. The problem may occur when BIG-IP installs a newer Host PIC firmware version than is currently installed on the VIPRION blade. This firmware update is typically performed when BIG-IP boots and determines that the firmware installed on the Host PICs is older than the Host PIC firmware version included in BIG-IP. This issue is resolved in BIG-IP versions 11.2.1 HF8, 11.3.0 and later.

The BIG-IP configuration will have correct failover traffic group assignment for the "/", "/Common" and other non-default system folders.

405195

Fixed bug to improve system quality.

405839

Improvements in hard drive error detection and correction have been made.

407674

Devices in a data group should no longer fail to sync with the following error message after an upgrade from earlier 11.x releases: Sync error: "Caught configuration exception (0), file(/config/filestore/.snapshots_d/data_group_d/fileobjectname ) expected to exist.

411064

The fix drops a packet whenever the misconfiguration conditions are detected.

Packets handled by mirrored Standard (L7) virtual servers during a failover event are now processed in a more timely fashion by the newly-Active system.

386991

DHCPv6 pool members are no longer required to have a persistent route to prevent a tmm crash.

391242

Fixed a defect which could cause TMM to core and restart while handling access policy traffic.

393297

The TMM could crash under load in some circumstances. The issue has been corrected.

401718

TMM no longer has the potential to crash when handling certain iRule commands that suspend execution ('after', 'session', etc) in SERVER_CLOSED events.

403111

HSB tx watchdog failsafe has been increased to a reasonable value that avoids triggering the failsafe in circumstances where the HSB is not locked up, just consistently utilized.

412586

Fixed a rare condition where the ARP table for one TMM may get out of sync with the others for a period of time, causing connectivity failures. This can happen more frequently when VLAN failsafe is configured.

413477

The BIG-IP system now load-balance to pool members when a pool is chosen from an iRule, fallback persistence is configured, and the virtual server has no default pool. Multiple iRule persist commands also now work as expected when the persist record exists on a remote TMM.

Fixed a TMM core that could occur while processing certain connection teardown scenarios for virtual servers with a DNS profile. The following log message could indicate that this was encountered: 'Assertion "valid pcb" failed'.

420498

If a query that does not have the RD bit set is answered by a virtual server with transparent cache enabled, a subsequent query for the same query name with RD bit set will get a correct answer.

420585

An occasional TMM crash when using a DNS cache resolver or validating resolver has been corrected.

422105

Transparent DNS Cache no longer inserts a truncated response into the cache.

Global Traffic Manager Fixes

ID Number

Description

406176

Fixed a code defect which causes high memory usage by the big3d agent in certain configurations.

Application Security Manager Fixes

ID Number

Description

398699-1

The Enforcer now correctly injects JavaScript when tags generated by JavaScript are split between quotation marks, like: 'ht' + 'ml'.

397551

We improved the way we implement the web scraping feature's client-side challenge so that when web scraping triggers a client-side challenge to a page of the web application, the user can click on a link in that page and click the "BACK" button on the browser without the browser displaying an error message.

401957

We created a new internal parameter, "cs_embedded_script" whose value the Enforcer inserts into the client-side's check challenge response. This was done to improve how Google analytics learns direct links.

405001

We fixed a crash that rarely occurred during regular-expression signature matching on excluded headers. Currently, we perform better verification on PCRE functionality.

We added the internal parameter "FTP_access_error" that controls the response code and string sent by the system after it blocks an FTP command. The default response code and string the system sends for a blocked FTP command is "550 Requested command not allowed" To add the parameter, from the command line, type: ./add_del_internal add FTP_access_error "[response code] [String message]" To delete the parameter, from the command line, type: ./add_del_internal del FTP_access_error "[response code] [String message]"

410800

Older learning suggestions are always removed before newer ones, even if ASM is restarted. This was sometimes an issue in previous releases.

412201

We fixed the way the Enforcer handles cases of invoking a client-side challenge, where reconstructing a POST request to a GET request is needed. The system no longer blocks these requests with the "HTTP protocol compliance failed: Unparsable request content" violation.

415008

There is no longer a JavaScript error when there are multiple injections of AJAX or CSRF code in the response (for example, if the AJAX Blocking page or CSRF feature is enabled).

418396

You can now have the risk and accuracy of each signature logged in the remote logger appended to the signature names. To do this, from the command line, set the new internal configuration boolean variable "remote_logger_include_sig_risk_accuracy" to 1 (enabled). Its default value is 0 (disabled).

419396

Improved APM reliability for clients

419884

If the system performs an automatic attack signature update, it also now honors the "Auto Apply New Signatures Configuration After Update" setting when it is enabled.

420108

Policy export in XML format now includes all attack signature settings, even if attack signatures were deleted from the system.

420315

The system now reports brute force drops even from the last seconds of an attack.

420376

The Enforcer internal encoding table is no longer corrupted when all of these conditions are met: - A security policy has an encoding language that has many secondary encoding languages (such as the Chinese encoding). - The Enforcer receives transactions at a high rate with parameters or URLs in different secondary encoding languages. - At the same time the user reconfigures the security policy and changes the encoding to one of the secondary encoding languages.

421250

The Enforcer no longer crashes when the remote logger is enabled, and FTP or SMTP traffic has a security violation that should be logged, and the connection is then closed (on the server side or the client side).

421438

Methods in WSDL files that contain non-alphanumeric characters (such as period) are now enforced correctly.

421450

We fixed an issue that sometimes caused the Enforcer to incorrectly parse multipart data.

421451

The Automatic Policy Builder no longer crashes when processing thousands of URLs in the Extraction list.

423797

We added the following internal parameters that you can add to headers and URLs in order to avoid requests receiving a client side challenge: cs_excluded_headers - Contains one or more headers, separated by a comma [,]. When one of these headers is presented in the transaction, the client side challenge is not injected in the transaction. (The URL qualification will still work in this case, as it is expected that the same URL may appear with or without these headers). The default value is an empty string. cs_excluded_urls - Contains one or more explicit URLs, separated by a comma [,]. These URLs will never be qualified for a client-side challenge. The default value is an empty string.

Application Visibility and Reporting Fixes

ID Number

Description

421437-1

Devices no longer report as unsychronized due to scheduled report transmission.

Access Policy Manager Fixes

ID Number

Description

354474-1

Improved APM reliability for clients

416238-2

Improved APM reliability for clients

357882

Improved APM reliability for clients

359227

Improved APM reliability for clients

361822

Improved APM reliability for clients

369886

APM webtop does not show Citrix client detection dialog on mobile devices anymore.

376000

Uploading files when accessing a web application using APM portal access mode now works correctly. This includes sending an email message with an attached file using OWA.

378969

Now a captive portal is properly detected in the Force all traffic through tunnel mode.

385982

Improved APM reliability for clients

388014

WEBSSO works when you select a BASIC SSO configuration using the WEBSSO::select iRule command even in the following situation. The default configuration in the ACCESS profile (or resource) is FORM BASED and uses session variables (for example, in Hidden Form parameters).

396078

websso did not fully reset sso config context on new requests on same flow. With this fix, multiple sso objects behind one virtual ltm with a reused client/browser flow resets sso configuration state between requests.

402070

Improved APM reliability for clients

402092

Improved APM reliability for clients

402324

Improved APM reliability for clients

402556

Improved APM reliability for clients

402699

For BIG-IP Edge Client on Windows systems, when APM network access is configured to close idle connections, a notification about the idle connection displays ahead of time.

403832

Fixed a memory leak when accessing some flash files through APM Portal Access

405242

Improved APM reliability for clients

405365

ActiveSync device may fail to finish the request due to various reasons such as bad signal, and the connection is being reset. Rarely, if this request is the one which was trying to establish a session, then it left stale state in APM, which disallow the device to recover for certain period of time, until the stale state is self deleted. This fix allows the device to recover early.

406603

Improved protection for CSRF.

406844

Improved system reliability with fixes for bugs found by internal F5 testing.

406969

Improved system reliability with fixes for bugs found by internal F5 testing.

407148

APM now works with ActiveSync on Windows Phone 8, Windows Phone 7, and Windows RT devices.

407747

Improved APM reliability for clients

408138

Improved APM reliability for clients

408426

Tmm crash when legacy standalone client connects at second time. This is now fixed.

408695

Split domain now works consistently with the HTTP 401 Response action.

409887

APM can now display up to 100 resources (maximum 20 characters length) on a webtop.

410179

Import is now working for both encodings

411422

Improved APM reliability for clients

412041

PWS starts on Windows XP even when the browser uses a large amount of memory.

412138

You can now import an access policy when a new ACL is order 0 and an ACL with that order already exists.

412435

Fixed two client get assigned with the same IP address from the same lease pool when establishing a Network Access connection channel.

412493

This release fixes a memory leak that occurred when APM cached many /vdesk/my.acl URIs for tunnel traffic.

412665

Fixed new network access tunnels fail to establish on the new active device during a failover using LDAP for authentication.

412797

Javascript source conversion to utf16 is be fixed.

413415

Improved APM reliability for clients

413661

Access policies that were copied from other policies no longer lose their images when the original policy is deleted.

SSO plugin now caches the load balancing decision made during the first request/response and reuses the same load balancing policy to send the type 1 message.

415392

iRules are now visible even if APM is unlicensed.

416042

Improved Firepass client and server support for better system behavior.

416339

After an authorization failure, APM webgate redirect behavior is now similar to Oracle webgate redirect behavior and obssocookie is no longer reset to loggedoutcontinue.

416574

Improved Firepass client and server support for better system behavior.

416658

Improved security through access policy for multidomain SSO.

417908

Now accounts in Citrix Receiver for Windows can be registered by entering only the domain name of APM virtual server.

418610

Various APM related cookies are now set to a secure option.

419295

An ACCESS session can no longer be shared inadvertently by a Citrix Receiver that connects to different virtual servers on the same BIG-IP system.

419773

419780

APM now encodes URLs for the prevention of XSS attacks using a less aggressive mechanism.

419955

CPU usage by Kerberos library during some error conditions is acceptable now.

421315

A TMM core for network access scenarios no longer occurs.

421356

A rewrite plugin crash that could happen when accessing some HTML pages through APM portal access no longer occurs.

421522

APM now handles an empty AVP-24 ("state") in a RADIUS Access-Challenge request.

421566

logd service may core due to unsafe localtime() call. The root cause of the logd core has been corrected with thread save call to localtime_r().

421711

Improved APM reliability for clients

422331

The access policy Deny ending agent displays the correct error message now for some additional cases: Your session could not be established.

422488

Improved APM reliability for clients

422830

Improved APM reliability for clients

423417

Improved APM reliability for clients

424007

Properly restore connections after reconnecting.

424113

Resolved bug so the "add new entry" button works with newly created Variable Assign action.

424117

APM supports Windows Citrix Receiver 4.0

424196

Improved APM reliability for clients

425095

Improved APM reliability for clients

WebAccelerator Fixes

ID Number

Description

387559

Fixed a defect which could cause the wamd process to core and restart.

Wan Optimization Manager Fixes

ID Number

Description

393941

The assertion, "valid isession pcb", no longer occurs when application or optimized tunnels are terminated.

395974

APM: a TMM crash bug has been fixed.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 7 that are included in this release

TMOS Fixes

ID Number

Description

421718

Local Traffic Manager Fixes

ID Number

Description

409219

IPv6 packet reassembly now succeeds.

421614

Handling of qnames in DNS requests has been made more robust.

Access Policy Manager Fixes

ID Number

Description

420103-1

CVE-2013-0150 is closed now.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 6 that are included in this release

TMOS Fixes

ID Number

Description

408085-1

Integrate Victoria LOP firmware v1.18 into Victoria TOS

410168-1

Support new hardware platforms.

410169-1

Support new hardware platforms.

412078-1

Integrate Victoria LOP firmware v1.19 into Victoria to BIG-IP.

327024

A routing issue with the management address of chassis platforms has been corrected.

373068

A link routing issue with the management interface on cluster primary for chassis based platforms has been corrected.

387640

syslog-ng has been update to version 2.1.4.9.el5.

388277

Starting with hostpic firmware version 5.02, the fan speed set messages were incorrectly filtered for Puma1 and Puma2 blades and, as a result, not forwarded to the fan controller. As a built-in safe-guard, when the fan controller does not receive fan speed set messages, the fans operate at 100% duty cycle. The hostpic firmware has been fixed to allow processing of fan speed control messages from BIG-IP.

396064

Fixed a defect that could cause previously in-sync device groups to become out of sync when one device is rebooted.

404255

This has fixed the issue - when setting Sync Leader, the packet-filter-trusted settings are incorrectly cleared.

405400

mcpd no longer loops waiting on input from background processes, avoiding a situation where it could drop a core file after receiving a heartbeat timeout.

405638

GTM/big3d now correctly identifies LTM virtuals in traffic group 'none' and 'traffic-group-local-only' as HA active.

Fixed an issue where software images might not be detected on a blade after it is moved to a new slot in the chassis. The resulting status for the image during this condition is: "waiting for product image".

413217

The ability to boot BIG-IP Virtual Edition or vCMP guests with less memory than they had previously been allocated has been made more robust.

Local Traffic Manager Fixes

ID Number

Description

365766

We have significantly mitigated the possibility a TMM core and failover event that manifests with the following panic log message in /var/log/tmm: - Assertion "rt_entry ref valid" failed.

372295

LACP no longer gets in a state where ports in a trunk that have been moved or re-ordered do not fully function as a reference port when there is another real functioning port in the trunk. LACP would stay in this state without a timeout until the reference port recovered. Now, LACP detects the state and moves the reference port to the real functioning port.

Fixed a TMM memory leak that can occur when ramcache is enabled on a virtual server that issues an HTTP::disable command in an iRule.

388869

There is a new option for a DNS Express zone which allows one to disable TSIG verification for NOTIFY messages it receives from the Master DNS server. To accomplish this, issue the following command: tmsh modify /sys db dnsexpress.verifynotifytsig value false

394484

In this release LTM fixed a bug that sometimes return a ETAG header with a 'NUL' (or 0) in the header.

tmm crash is fixed when a fail-over happens for ftp when a lasthop pool is configured for ftp VS and the fail-over action is reselect.

397637

Fixed an issue where lasthop pool failover does not work for FTP uploads or downloads when fail-over involves two different networks and connection.vlankeyed is set to disabled.

398059

Fixed a TMM core which could be triggered by, among other things, FastL4 and persistence profiles on a virtual server.

398414

Certificate Revocation List verification now functions correctly when the client certificate being verified and the CRL are signed by different Certificate Authorities.

398593

Fixed a problem that Route pool fail-over does not work for FTP.

399825

Passive FTP now works when a no-translate virtual server and a gateway pool are configured. Previously, the client received a RST with cause "NO ROUTE to host".

404706

Fixed a timing issue where, in some rare circumstances, not all blades in a chassis system will become active when the chassis comes from standby to active.

405652

Default routes are now correctly propagated via IS-IS to peer devices when "metric-style wide" is configured.

407145

BIG-IP no longer drops tunnel packets when the traffic group has an HA MAC masquerade configuration.

417057

When DNS cache is enabled, TMM will not crash when processing a malformed DNS query with name compression since the malformed DNS query is will not send to DNS cache. It will be processed according to the "Unhandled Query Actions" configured in the profile.

419412

Global Traffic Manager Fixes

ID Number

Description

391991

This fixes a regression from v10.x, introduced in v11.0, which caused different GTMs in a sync group to auto-discover virtuals inconsistently when synchronization is disabled for the sync group.

403125

GTM virtual server auto-discovery now works correctly when the GTM is v11.x and an LTM is upgraded from v10.x to v11.x.

Application Security Manager Fixes

ID Number

Description

366011

An empty Accept-Encoding header no longer triggers the HTTP Protocol Compliance sub-violation "Header name with no header value". This complies with the RFC.

377191

An Enforcer core was fixed that happened on a blocked request that had some specific matched attack signatures and had the signature names ("sig_names") field in the remote logger.

394960

We improved the way the system handles evasion techniques.

394980

Security Policies built using the third party vulnerability assessment tool output scenario are now not case sensitive, by default.

401538

Learning suggestions are presented with full request data even in the case where one type of violation already exists in the Learning database and is then triggered repeatedly.

407871

We fixed an issue that sometimes caused a problem with the attack signature configuration after rolling forward a system configuration.

407937

The system's XML parser now recognizes "0" and "1" as valid xsi:nil boolean values, so that XML elements that contain the attribute xsi:nil="1" no longer incorrectly triggers an XML violation.

408846

The JavaScript code that ASM inserts when the CSRF feature is enabled now conforms to the W3C standard.

409405

When a NULL character appears in a header or a request payload, the system now continues to enforce the rest of the request.

409423

We fixed an issue where ASM sometimes injected client side JavaScript in responses when it should not have.

409752

We eliminated a large growth of memory to the system (causing an out of memory error) that sometimes occurred while the system reported Web scraping attacks.

409787

We fixed an issue where the Enforcer might crash if a malformed JSON request is sent.

411202

To allow for backward compatibility with previously archived logs, and multiple versions of ASM, remote logging profiles have the fields "http_class_name" and "web_application_name". Both these fields report the name of the HTTP Class.

417604

The system no longer crashes when there is remote logging for an FTP or SMTP security profile.

Access Policy Manager Fixes

ID Number

Description

394363-7

BIG-IP Edge Client and client components were unable to install due to an expired certificate. This problem no longer occurs.

BIG-IP Edge Client and client components were unable to install due to an expired certificate. This problem no longer occurs.

405956

A transient interruption in communication with a KDC resulted in a 10-minute lockout if no alternate KDC was available. The lockout interval could save time by preventing repeated attempts to use an unavailable KDC. However, if no alternate KDC is available and the interruption is actually brief, the lockout is excessive. The lockout value is now configurable. For more information, see SOL14319 on www.F5.com.

406444

Improved Firepass client and server support for better system behavior.

407273

Improved system reliability with fixes for bugs found by internal F5 testing.

407603

Possible XSS via cookie tampering on APM logout pages has been fixed.

409252

Improved Firepass client and server support for better system behavior.

409773

Added handling special for non IE browsers to resolve clients issues.

409912

Support for Chrome 25 has been added.

409946

Support for Firefox 19 has been added.

411792

If you use the iRule "ACCESS::session data set" with an invalid SID, TMM no longer crashes.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 5 that are included in this release

TMOS Fixes

ID Number

Description

416636

BIND has been updated to address CVE-2013-2266.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 4 that are included in this release

TMOS Fixes

ID Number

Description

394417

IPsec SHA1 authentication now works on VADC.

394432

Secondary blades now bring their interfaces up when booting for the first time from a new install when VCMP is provisioned.

397825

CVE-2012-4929 CVE-2012-4930: protect again the CRIME attack.

401193

A self IP can be created within a partition which has a default route domain set.

403928

mcpd no longer cores when upgrading configurations with APM rules.

405366

IPsec no longer stops handling incoming ESP packets after rekey.

406904

Improved system reliability with fixes for bugs found by internal F5 testing.

407028

A Linux kernel bug causing unpredictable errors up to and including crashes after 208.5 days of uptime has been fixed.

409303

Upgrading configurations with iApp templates no longer cause configuration loads to fail with an error like the following: "01070734:3: Configuration error: The object (folder /Common/foldername.app) is owned by a non-existent application (/Common/foldername.app/foldername)."

410001

iControl calls no longer fail with the following error message resulting on the BIG-IP: "01180009:3: get_ff_present feature flag 310 out of range."

Local Traffic Manager Fixes

ID Number

Description

385579

A condition that could lead to a TMM core during persistence-record mirroring when the standby device comes online has been corrected.

398102

Fixed an issue which could cause traffic disruptions when running v11.2.0 or later vCMP guests on vCMP 11.1.0 or earlier host.

405418

Fixed a TMM core which could happen while running ASM or other plugin modules.

407706

BIG-IP is no longer susceptible to the attacks described in CVE-2013-0169.

408753

TMM no longer cores when enabling the dns-cache feature.

Global Traffic Manager Fixes

ID Number

Description

224131-1

New gtm global setting send-wildcard-rrs was introduced in 11.0.0. It is disabled by default. When enabled, it is supposed to trigger resource record auto-creation in BIND when creating wildcard wide IPs. But this functionality never worked. It is fixed in this release.

224131

New gtm global setting send-wildcard-rrs was introduced in 11.0.0. It is disabled by default. When enabled, it is supposed to trigger resource record auto-creation in BIND when creating wildcard wide IPs. But this functionality never worked. It is fixed in this release.

406751

This fix corrects a defect whereby a GTM using topology load balancing can intermittently experience TMM crashes shortly after topology records are added or removed from the configuration.

407256

GTM is now able to collect the right hop count for LDNSs.

Application Security Manager Fixes

ID Number

Description

406792

We improved the PSM SMTP code in order to prevent system cores.

407867

We fixed an issue that sometimes caused the Enforcer to crash when it updated the statistics counters of SMTP violations.

407908

We fixed a scenario where some bad JSON requests sometimes caused the Enforcer to crash.

408412

Configuration synchronization will now be sent asynchronously to prevent the relay listener from blocking on trying to send a second configuration to a device before the first configuration finished.

Application Visibility and Reporting Fixes

ID Number

Description

398370

We added the field "rechunk=1" to /etc/bigstart/scripts/md. Changing it to "rechunk=0" and restarting the MD daemon ensures that the system does not rechunk server responses. We recommend you set "rechunk=0" in the following cases: 1. The server response is not chunked and not compressed. 2. The server response is not chunked and the virtual server is configured with an HTTP Compression Profile.

This release fixes a rarely occurring TMM crash. It happened when a user session was terminated while a form-based client-initiated Single Sign-On operation was in progress.

406971

Improved Firepass client and server support for better system behavior.

407254

Improved Firepass client and server support for better system behavior.

407509

Support Windows Citrix Receiver 3.4

407510

Support MAC Citrix receiver 11.7

407833

When a report fails to run, the Configuration utility now displays a specific error and logs error exception details to the webui.log file even when it is configured in default logging mode.

407860

Export is now working for empty sso configurations

407940

The Session Details report now runs without error.

408150

Support Receiver for iOS 5.7

408917

BIG-IP Edge Client for Mac no longer displays a captive portal when the XML response from the Mac does not contain the doctype element.

410514

End user can now establish a connection via Network Access.

WebAccelerator Fixes

ID Number

Description

410320

The wamd process no longer loops indefinitely when encountering a DOCTYPE tag that has a trailing space (e.g., "<DOCTYPE HTML >").

Cumulative fixes from BIG-IP v11.2.1 Hotfix 3 that are included in this release

TMOS Fixes

ID Number

Description

371131-1

Enhance LDAP auth to search for group membership.

385719-2

Improved system reliability with fixes for bugs found by internal F5 testing.

246920

Transparent IPv6 monitors in LTM and GTM now work correctly.

248139

Messages logged from TMM to syslog now correctly contain the hostname for the BIG-IP they are logged from, rather than the generic hostname "tmm".

336920

Parameters to tcpdump are now included in pcap output files when using the '-w' option.

374969

A defect has been fixed which could cause master key decryption failures upon syncing configuration between devices. The following message in /var/log/ltm indicates such a failure condition: "Master Key decrypt failure - decrypt failure - final"

378043

Modifying a single GTM pool object in the GUI no longer causes all pools to update with the same changes.

388590

Certificates can now successfully be updated using the iControl Management::KeyCertificate interface.

390569

The dependency issue between App Template TCL script and TMSH CLI script has been fixed.

390715

Fixed a defect with configsync that could cause internal certificates to not be synchronized correctly, resulting in a failure to load configuration on the target system and the following log message: "File object by name (dtdi.crt) is missing."

390768

Fixed a defect which could cause snmpd to restart and leave a core file.

391874

The management port of BIGIP now correctly connects to a peer at 100Mbps. This resolves a previous issue where if a management port was disconnected during load of BIGIP, it would fail to connect at 100Mbps when the port was reconnected.

392484

Improved system reliability with fixes for bugs found by internal F5 testing.

393211

After configuring a gateway-failsafe-device on a pool in a chassis environment and restarting the system, the secondary blade(s) no longer fail to load their configuration.

393294

Refreshing the browser page in GTM no longer fails with the following error: "an error has occurred..."

393530

HA groups can now use pools outside of the /Common partition.

393671

SNMP traps are now correctly sent from the system when the primary blade in the cluster fails and a secondary blade takes over.

393986

On the slave blade in a chassis, bgpd will no longer spin and consume excessive CPU.

394104

Enhanced content-type detection to no longer assume type binary upon reading one or more initial NUL characters. So, for example, HTML pages beginning with any arbitrary number of NUL characters are now correctly categorized as HTML pages and are correctly rewritten.

394580

The configuration in the Common partition is now loaded before that of others, to avoid a variety of post-upgrade configuration load issues.

396158

Users are now able to delete 'send', 'receive' and 'disable' parameters from configured monitors in the GUI.

396308

SNMP ifSpeed OID now correctly reports the interface's current bandwidth in bits per second.

Fixed a rare crash of the mcpd process as a result of changing passwords.

398931

When add/removing a trunk member, the percentage-up members of the trunk is now updated accordingly.

401715

Fixed a defect which could cause some Access policy items to not roll-forward properly from 10.x configurations.

402067

Validation for virtual servers with web application java patching enabled have been corrected to require a rewrite profile with a trusted CA, signer and sign-key.

405398

GTM Global settings will no longer be lost during a sync.

406206

BIND has been updated to address CVE-2012-5688.

406748

It is now possible to install BIG-IP v11.3.0 on a VCMP guest with Software Management from a slot that is running this hotfix version.

406930

VCMP hosts now perform better and are more stable under moderate and heavy IO activity.

Local Traffic Manager Fixes

ID Number

Description

377421-1

Fixed an issue whereby persistence records who are subject to matching across virtual servers could cause tmm to reset the traffic.

383692-1

https monitors no longer use SSL ticket extensions, which works more reliably with older versions of SSL.

389078-1

An issue that causes an iRule hang in the following circumstances has been corrected: * The virtual server has no default pool and is cmp-enabled. * You have an iRule that issues a [persist lookup uie {$value any pool}] before a pool is selected. * A request comes in that is handled by a TMM other than tmm0.

HTTP cookie headers with leading whitespace before the first colon (':') separator are now processed correctly, rather than discarded.

384634

In previous versions of BIG-IP after 11.1.0, there were conditions under which both the text of an iRule script and its priority (or order in application to the virtual) were changed and caused a core. This could also happen during configsync. These conditions have been addressed, and the core no longer occurs.

386078

Fixed a defect which could cause TMM to core and restart when servers send responses with invalid 'Location' headers and redirect rewrite is enabled on the virtual server's HTTP profile.

389078

An issue that causes an iRule hang in the following circumstances has been corrected: * The virtual server has no default pool and is cmp-enabled. * You have an iRule that issues a [persist lookup uie {$value any pool}] before a pool is selected. * A request comes in that is handled by a TMM other than tmm0.

389278

ICMP monitors no longer erroneously mark down IPv6 nodes that are also configured with a transparent gateway ICMP monitor.

389324

Fixed a defect which could cause TMM to core and restart under certain conditions.

389409

Modifying the connection limit on a pool member with a priority group configuration no longer causes the BIG-IP to fail to load-balance to pool members that are otherwise below the configured connection limit.

390514

The SNMP_DCA_BASE monitor now correctly uses the USEROID_COEFFICIENT and USEROID_THRESHOLD when determining pool member weights.

391313

The RST cause is no longer incorrectly set to "internal error (persist)" when persistence entries are being added, avoiding a situation where the legitimate RST cause is overwritten.

391633

Resolved problem found by internal F5 testing where arp-replies were sent to incorrect IP Address.

391986

A code defect that causes CMP persistence lookups to fail after the first request returns has been corrected.

392029

Statsd no longer leaks if ASM is configured.

392037

Virtual servers with profile configured IPv6 to IPv4 mode as Secondary now respond the correct AAAA resource records for AAAA queries, rather than responding with rewritten A resource records.

392159

On chassis-based platforms (VIPRIONs), the Access Policy Manager module's apd service incorrectly used floating self-IP addresses to communicate with host daemons instead of an internal TMM IP address (127.20.x.x). This is no longer an issue.

394293

Fixed a TMM memory leak on virtual servers using either WebAccelerator or High Speed Logging.

394725

Fixed a defect that could cause TMM to core and restart while handling connection persistence entries.

394743

IP-fragmented packets are now handled correctly by virtual servers that are selected in iRules by the 'virtual' command.

395582

Fixed a defect which could cause TMM to hold excessive amounts of memory while processing APM or ASM traffic.

395767

Fix a regression which could cause vlan failsafes to intermittently not function.

396878

Improved automated testing suites at F5 for SSL handshake.

398092

Big-IP 2000 no longer outputs "Invalid core affinity settings" errors on bootup. These were cosmetic and did not indicate any failure.

398296

Fixed a defect which could cause TMM to core and restart when handling Access policy traffic.

400139

The monitor flapping (monitor being continuosly marked UP and then DOWN although the monitored node stays UP during this period) problem in transparent ipv6 monitors in LTM and GTM is fixed.

You can now create a Link via the GUI with Link Controller provisioned. Note that it will share the default datacenter with the default GTM server that Link Controller sets up.

391315

iRule pool commands now correctly handle selection where the pool has no CNAME Resource Record associated.

391569

GTM will now respect connection limits placed on pools.

392834

TMM no longer will core and restart while processing DNS requests after removing a wideip alias from the configuration.

Application Security Manager Fixes

ID Number

Description

368337

If a remote logging server is configured incorrectly (for example, with the wrong IP address or port), the Enforcer spends a long time unsuccessfully trying to connect to the server. As a result, the Enforcer sometimes used to hang and crash. This is no longer the case.

376192

A request that contains the internal cookie TSxxxxxx_77 or TSxxxxxx_75 that was generated by another HTTP Class no longer causes the Enforcer to incorrectly trigger the "Modified ASM cookie" violation.

386019

We fixed an issue that caused the enforcer to perform a core dump when the system's plug-in was initialized or uninitialized repeatedly.

391372

The system no longer fails to import a XML schema file that includes a 'no namespace' element.

391493

The system now detects touch screen browser events as human events. Previously, the system only considered mouse movements and pressing on the keyboard as human events.

391826

The Configuration utility no longer hangs when trying to view Recent Incidents on the Traffic Learning > Attack Signature Detected screen. In the previous version this occurred under specific conditions.

392087

The system now correctly handles a case where a security policy imported from a v10.2.x policy export file may contain a misconfigured Blocking Response Page that, in limited instances, prevented the policy from being applied.

392719

If you are running standalone ASM and you delete the HTTP Class associated with an active security policy, the security policy is now correctly moved to Recycle Bin.

393468

You can now perform configuration synchronization between a device with a lower BIG-IP version to a device with a higher BIG-IP version if the devices are within the same device group.

394506

We optimized the Enforcer's memory allocation for large requests.

394959

Loading the configuration on a secondary VIPRION-2400 B3400 blade no longer fails.

395340

We fixed the close element for sequences having the "anyType" child.

395601

The system now cleans files in /ts/var/cluster/temp that are more than 1 hour old to keep the /var disk partition from filling up.

396327

We enhanced the Application Security -> Reporting -> Requests screen so that it no longer becomes unresponsive for a long period of time (around 90 seconds) after searching for a string in the filter.

396762

In a chassis, using the VIPRION 2400, when you create a security policy immediately after provisioning ASM, you no longer see meaningless error messages in the Configuration utility.

397525

SMTP, FTP, and HTTP protocol profiles are no longer unassigned by the system after you restart the system. Previously, this occurred if these profiles were created in partitions other than "/Common".

398175

To improve the integration between ASM and Whitehat Sentinel vulnerability assessment, the ASM Whitehat IP address range was updated.

398690

If ASM is not provisioned when a UCS file is loaded, then the ASM configuration is moved aside to be installed later (delayed load), and the configuration files are now created with the correct permissions. In previous versions, they were not created with the correct permissions.

398697

The browser no longer displays a JavaScript error when the "AJAX blocking page" feature is enabled and the CSRF protection feature is disabled.

399923

We fixed a memory corruption issue that rarely occurred during the encoding of Chinese characters.

400587

We added the internal parameter "allowXSIRename" that enables you to allow using a namespace prefix different from "xsi" for "http://www.w3.org/2001/XMLSchema-instance". Set this parameter to 1 to allow different names for the xsi prefix. The default value is 0 (disallow). To set the parameter value to 1, run the commands: /usr/share/ts/bin/add_del_internal add allowXSIRename 1 bigstart restart asm

401501

The system now correctly populates parameter learning suggestions in the Illegal Parameter screen. Previously, if you clicked a parameter in the Application Security > Policy Building: Manual > Traffic Learning > Illegal Parameter screen, the parameter name was always displayed as UNNAMED, and it was not possible to enforce or delete the parameter.

402535

Enterprise Management now deploys the correct version of previously exported security policies.

403061

Fixed the Enforcer from crashing during web scraping enforcement.

404638

The Deployment wizard's Configuration utility no longer times-out when more than 1000 virtual servers are configured in the system.

405669

We fixed an issue that occurred only in v.11.2.0. Currently, the system injects a client-side-challenge only when the request is qualified for JavaScript injection.

405690

The concurrent long requests count is now synchronized. This was done so that when there is a high load of long requests on a platform with many CPUs, the system no longer exceeds the maximum concurrent long request configuration value (determined by "max_concurrent_long_requests").

Access Policy Manager Fixes

ID Number

Description

344912-1

Improved APM reliability for clients

371452-4

Improved APM reliability for clients

373495-1

Improved APM reliability for clients

386077-1

CRLDP no longer fails with valid certificates that use certain formats for their serial numbers.

386131-1

Improved Firepass client and server support for better system behavior.

395176-1

Improved Firepass client and server support for better system behavior.

APM now correctly throws a security exception when a DOM security violation occurs.

405218-3

APM rewrite profiles can now handle a bypass list that contains more than 26 entries.

370053

When using customization and other upload and import operations, temporary files no longer accumulate in the /tmp directory.

371452

Improved APM reliability for clients

371456

Improved APM reliability for clients

371459

Improved APM reliability for clients

377138

Fixed a defect which could cause the BIG-IP system to stay INOPERATIVE if services are restarted while APM logging sessions are active.

379550

Unicode white space characters outside the ASCII range are now recognized as such in JavaScript. JavaScript containing these characters is now rewritten correctly.

380319

Improved APM reliability for clients

380331

Improved system reliability with fixes for bugs found by internal F5 testing.

380333

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

380366

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

380385

APM now supports Windows 8

380678

Citrix published applications are displayed with correct Webtop icons in Internet Explorer 10.

382569

Some valid macros failed a check; this has been corrected.

382798

Can Upload multiple package files under Citrix Client bundles.

384138

Description text is now removed from Citrix application folders on APM Webtop to match Web Interface look and feel.

385535

APM now displays client DHCP address in reports.

385673

"Can't read "tmm_apm_citrix_username": no such variable" error no longer appears in logs.

386277

VPE no longer times out when you edit complex policies that assign many resources.

386788

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

386921

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

386933

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387122

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387376

387389

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387498

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387501

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387853

Separate error code from SOCKS5 for invalid or expired session.

388035

Multi-Stream ICA connections were targeted to the same primary CGP port on XenApp backends. Now each connection goes to the corresponding Multi-Stream ICA port configured by the administrator in XenApp policies.

388220

APM now supports XenDesktop at PNAgent mode.

389350

HTTP query string is no longer corrupted by multi domain SSO.

390023

Edge Client Network Access now works on 64-bit Windows 8.

390167

Client signature check no longer fails for data greater than a large but reasonable limit.

391745

Logging to /var/log/apm would sometimes fail even after setting the db var 'log.access.syslog enable'. This error has been corrected.

Now an administrator can configure the machine certificate checker not to check the private key when User Account Control right elevation is required for this operation.

392889

Google Chrome Extension Installation is stricter starting with Google Chrome 21. To install the extension on Google Chrome 21 and later, follow the directions that the BIG-IP system provides whenever it requires extension installed.

393116

Applications now work correctly when using the ACCESS::disable iRule command on a virtual server with an access profile with an SSO configuration assigned.

APM no longer throws security exception when handling URI with ampersand in a XHTML document.

395069

Now FireFox 15 is supported.

395359

Resolved TMM core in xbuff.

395374

Resolved issue found in internal F5 testing that would generate sql error after multiple success installs of epsec using admin UI.

395625

A. Uninstall the old plugins. Try these steps in this order: 1. Safari method: Using the Safari browser, try connecting to the BIG-IP system to see whether the plugins upgrade seamlessly. If you have 32-bit Safari running on 10.7+, this method likely will not work. 2. Manual Plugin removal: 2a. In Spotlight, type "f5 sam inspection host plugin.plugin". Drag and drop the found plugin to the Trash. OR, Use 'terminal' and go to the Internet Plugin-Ins directory ( cd "~/Library/Internet Plug-Ins" ); remove the inspection host plugin directory ( rm -rf "f5 sam inspection host plugin.plugin" ). 2b. In Spotlight, type "F5 SSL VPN Plugin.plugin" and drag and drop the found document to the Trash. (If you want to make sure that it is a Plugin-in document, mouse over the document to see whether its type is "Plugin-in".) OR, Use 'terminal' and go to the Internet Plugin-Ins directory ( cd "/Library/Internet Plug-Ins" ); remove the inspection host plugin directory ( sudo rm -rf "F5 SSL VPN Plugin.plugin" ). B. Connect to the BIG-IP system now and follow the instructions it displays. The new plugins install.

395754

From the Basic Customization view, the Network Access screen now displays and allows you to update customization values after upgrades from 10.x.y.

395781

An issue where apd would crash due to a double file descriptor close has been fixed.

395832

Emulate IE7 on client system to make IE10 work.

395875

Properly handled exceptions in APD to avoid the process crash.

396052

All established Citrix connections for a user session are now terminated when user session expires.

396213

A memory leak that happened when AD module made a query to get all domain groups has been fixed.

396218

When access policy language is set to Japanese, PWS now correctly resumes session on clients with Japanese system locale.

Resolved issue when using IE10 without switching it to compatibility mode using IPv6 VS and try to establish NA tunnel(IPv4&IPv6) that caused message "You navigated away from the webtop. Do you want to close current connections?" while tunnel establishing.

397358

Loading XML external entities in APM VPE is disabled now to eliminate possibility of XXE attack.

397373

Citrix functionality no longer fails when a TCP, Persist or Auth profile attached to the virtual server is re-configured.

397471

APM: a memory leak has been corrected.

397538

APM now supports Citrix Receiver for Mac 11.6.

397642

Multidomain SSO works properly now if the user has an MRHSHint cookie.

397668

An OAM exception from the Oracle ASDK, that occurred when an invalid host name passed to the ObUserSession constructor, has been resolved.

397853

Fixed a redirect loop in multidomain SSO when redirecting user to a URL with a query string that contains a field with no value (e.g., http://example.com/?field=).

398007

In network access tunnel cases with both TLS and DTLS, ICMP traffic would be dropped in some cases. This no longer occurs.

OWA2010 portal access resource configured to not update user session on periodic client requests (/owa/keepalive*, /owa/ev.owa*) is now working as expected and does not cause user session to never expire.

398641

Rewriting of the 'href' attribute of 'xml-stylesheet' processing instructions now works for files of type HTML, XHTML, XML, and SVG.

399212

Previously, you could save an advanced customization for an access profile stored in a partition, but not for one stored in a folder. Now you can save an advanced customization for an access profile in a partition or in a folder.

400060

Fixed local SQL injection flaw.

400158

Improved testing and debugging capabilities.

400345

OAM header now properly included for POST request forwarded to back end server.

400662

Citrix clients could not reconnect when using CGP for transport. This works correctly now.

400675

When XML Broker is used in standalone mode, Citrix icons are now displayed on full webtop in Internet Explorer 9.

400759

Improved testing and debugging capabilities.

400760

Now APM correctly handles CGP setting in ICA file sourced from Web Interface site and tells Citrix clients to use CGP if CGP is supported by target XenApp server.

400896

An issue with handling certain types of commands within Flash has been corrected.

401025

The F5 WebGate did not set the "Expires" header in the HTTP response for SSO logout URL. Due to this, the browser continued to use the old ObSSOCookie value and hence, a new user who logged in without closing the browser could access information for the previously logged in user. Now the F5 WebGate sets the Expires header and matches the behavior of the Oracle-fabricated WebGate when receiving an SSO logout URL.

It is now possible to disable logging to local log files but enable external syslog logging.

401738

The BIG-IP system did not return a RADIUS attribute, state, in unmodified format with the second access-request. This has been corrected; the BIG-IP system now returns the state attribute in unmodified (compliant) format.

401939

Resolved bugs found by internal F5 testing to improve quality of release.

402147

A regression that caused a missing Radius accounting stop message on session finish is resolved.

402252

Resolved bugs found by internal F5 testing to improve quality of release.

402586

Resolved bugs found by internal F5 testing to improve quality of release.

402741

The BIG-IP Edge Client now cleans up on exit when a user logs off while a network access connection is established.

WA now handles a rare out of memory condition and successfully tears down the connection when it happens, avoiding a TMM core.

397761

Fixed a potential memory leak in mcpd when running WebAccelerator.

399507

When a URL is embedded within a query string and its response had previously been cached in WAM, we no longer erroneously serve that response to the client rather than processing the URL that is being requested.

399967

Client connections are no longer incorrectly reset for virtual servers with Application Security Manager and WebAccelerator configured after a change is done in the associated Web Acceleration profile.

405497

Small optimized images are correctly re-cached after they are updated on OWS and re-optimized.

Wan Optimization Manager Fixes

ID Number

Description

387886

Fixed a crash in the woc_plugin process when running the WAN Optimization Manager.

396982

A memory leak has been eliminated.

397856

The performance of CIFS operations for Wan Optimized virtual servers has been improved.

Service Provider Fixes

ID Number

Description

395353

Virtual servers with SIP profiles now correctly forward well-formed SDP messages that do not end with a newline.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 2 that are included in this release

TMOS Fixes

ID Number

Description

362739

Support new hardware platforms.

396072

Improved reliability of BIGIP system with fixes found by internal F5 testing.

396284

Support new hardware platforms.

396715

Support new hardware platforms.

397836

Removing an operational PSU from a BIG-IP 2000-series or 4000-series appliance now operates correctly, and no longer results in spurious "Fan speed too low," "hardware sensor critical alarm," "Power supply #2 fan-1: fan speed (0) is too low," or "localhost emerg system_check" messages on the console. In addition, removing an operational PSU from a 4000 platform correctly results in a red Alarm LED and a CRITICAL error on the LCD screen, however, when you clear the alarm from the LCD module, the error does not return.

398974

In this release, there is a VIPRION 2000 Series-specific change in the clock interrupt initialization to correct CPU-utilization imbalance.

399661

On the 2000s / 2200s and 4200v platforms in 11.2.1 the first time you insert an SFP in interface 2.1 or 2.2 after booting with no SFP inserted the SFP would not be recognized. This corrects this issue.

399672

400775

The maximum number of trunk members on the 2000, 2200 and 4000 platforms is now correctly set to 8.

400789

BIND has been updated to address CVE-2012-5166.

403052

Adding support for the BIG-IP 2000 platform.

403177

Improved reliability of BIGIP system with fixes found by internal F5 testing.

403545

Support new hardware platforms.

403724

Support new hardware platforms.

403727

404433

The LED status now correctly turns to amber on the 2000s / 2200s platforms when the license has expired.

Improved reliability of BIGIP system with fixes found by internal F5 testing.

398092

Big-IP 2000 no longer outputs "Invalid core affinity settings" errors on bootup. These were cosmetic and did not indicate any failure.

402164

Interfaces 2.1 and 2.2 on the 2000s / 2200s and 4200v platforms did not correctly account for dropped packets due to full rings. These packets now show up as drops in the interface stats.

404036

The following rate-shaper debug log message was incorrectly logging at the critical level, which could lead to system instability including TMM restarts: "Error: Trying to dequeue from empty queue for class 'rateclass'" This problem has been corrected.

404037

Rate shaper accounting was being done by bytes. This accounting has been modified to be done by packets to avoid error situations.

Performance Fixes

ID Number

Description

405020

Improved performance of new hardware platforms.

Cumulative fixes from BIG-IP v11.2.1 Hotfix 1 that are included in this release

TMOS Fixes

ID Number

Description

397916-1

378043

Modifying a single GTM pool object in the GUI no longer causes all pools to update with the same changes.

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.

605476-1 : istatsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
The istatsd process may consume excessive CPU resources.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The system performance degrades and the system eventually stops responding or reboots.
-- In the /var/log/ltm file, you observe multiple messages that appear similar to the following example: emerg logger: Re-starting istatsd.

-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats file.
Under these conditions, the istatsd process may continually restart and produce a core file.

Impact:
Over time, the system performance may degrade and the system may eventually stop responding or reboot due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

Log in to the BIG-IP command line.
To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged

Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that drops a connection.

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.

Workaround:
None.

601527-2 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory curing config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

600944-5 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.

600558-1 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

598874-4 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

597729-3 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

597431-1 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.

594123 : Illegal HTTP status in response filling up the database

Component: Application Security Manager

Symptoms:
You see errors similar to the following: "[ERROR] /usr/sbin/mysqld: The table 'ENFORCER_CPU_USAGE' is full"

Conditions:
This can occur with ASM enabled and is triggering on "Illegal HTTP status in response". These entries are not getting cleaned at the appropriate time.

Impact:
Database eventually consumes all available space.

Workaround:
You can manually truncate the table by running the following command in MySQL:

TRUNCATE TABLE PLC.LRN_ILLEGAL_HTTP_STATUS_IN_RESPONSE;

591659-6 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
None.

591476-2 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Device error: crypto codec cn-crypto-0 queue is stuck." will appear in the ltm log file.

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.

582029 : AVR might report incorrect statistics when used together with other modules.

Component: Application Visibility and Reporting

Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.

Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.

Impact:
AVR reports incorrect statistics: unexpectedly large numbers.

Workaround:
None.

579284-1 : Potential memory corruption in MCPd

Component: TMOS

Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.

Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").

Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.

576591-1 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.

576296-5 : MCPd might leak memory in SCTP profile stats query.

Component: Local Traffic Manager

Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.

575368 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.

Symptoms:
Send buffer size is unlimited on a standby TMM. If sync is lost with the active TMM while a TCP client is advertising a zero receive buffer, the standby TMM might continue to use a zero send buffer indefinitely. This eventually leads to the send buffer overflowing on the standby TMM.

Symptoms:
MAC Edge client doesn't handle redirects during profile download (/pre/config.php?version=2.0) and eventually edge client is not able to connect.

Conditions:
MAC edge client with BIG-IP v11.2.1

Impact:
Edge client cannot establish connection successfully

569642-1 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.

Conditions:
- HA pair.
- FastL4 VIP with mirroring.
- default route to pool via an intermediate router.
- The active unit is handling traffic.
- Active unit fails over and loses its mirroring connection.
- Prior active unit comes back and HA connection is reestablished.
- During the loss of HA and its recovery the now active unit loses its only route to the pool member.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.

566361-6 : RAM Cache Key Collision

Component: Local Traffic Manager

Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled

Conditions:
This occurs when RAM cache is enabled in certain circumstances.

565810-4 : OneConnect profile with an idle or strict limit-type might lead to tmm core.

Component: Local Traffic Manager

Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.

Conditions:
OneConnect profile with a limit-type value of idle or strict.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a limit-type of 'none'.

565534-5 : Some failover configuration items may fail to take effect

Component: TMOS

Symptoms:
These symptoms apply to version 12.0.0 and higher:

When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.

These symptoms can occur on all versions:

When the unicast address list is changed at the same time as other device properites, sod (the failover daemon) may fail to recognize one of the other changes.

Conditions:
For version 12.0.0 and higher:

Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location or after performing the procedure in Sol13030.

For all versions:

A change is made to the cm device configuration that includes a unicast-address change along with something else.

Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.

Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.

560405-3 : Optional target IP address and port in the 'virtual' iRule API is not supported.

Component: Local Traffic Manager

Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.

Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.

Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.

When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.

Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.

Symptoms:
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.

Conditions:
A virtual must have a DNS profile assigned, a DNS message must be exactly two bytes longer than a multiple of the TCP segment size, and the TCP stack on the DNS client or resolver must bundle the first two bytes (the TCP message length) with the message in the first TCP segment.

Impact:
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.

Workaround:
Use UDP with EDNS instead of TCP if possible. Alternatively, adjust the TCP MSS setting by a few bytes for the DNS virtual.

556380-5 : mcpd can assert on active connection deletion

Component: TMOS

Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.

Conditions:
Removal of all peers while a connection is handling a transaction.

Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.

Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.

To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.

If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.

Impact:
Sync of file objects might fail with an error similar to the following:

Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.

Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.

Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.

Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.

Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.

552139-5 : ASM limitation in the pattern matching matrix builtup

Component: Application Security Manager

Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.

Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.

Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.

549588-5 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it

Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.

Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.

Workaround:
No Workaround

549086-5 : Windows 10 is not detected when Firefox is used

Component: Access Policy Manager

Symptoms:
Windows 10 is not detected when the Firefox browser is used.

Conditions:
Windows 10 and Firefox (at least versions 40 and 41).

Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.

Workaround:
There is no workaround.

547000-1 : Enforcer application might crash on XML traffic when out of memory

Component: Application Security Manager

Symptoms:
Enforcer application might crash on XML traffic when out of memory.

Conditions:
This occurs when the system is out of memory.

Impact:
The BIG-IP system might temporarily fail to process traffic.

Workaround:
None.

544888-2 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.

Workaround:
There is no known workaround.

542191-5 : Snmpd V1 and V2c view based access.

Component: TMOS

Symptoms:
SNMP v3 allows for 'views' to be created. These views can be a union of multiple sub-branch OID access config statements. Users/groups can then be assigned to a view.

Conditions:
If more that one snmpd view is specified per community string the second view is not accessible. Note: A view is a portion of a MIB tree defined by an OID.

Impact:
The BIG-IP system does not support view configuration. If multiple views are created using the lines: rouser USER [noauth|auth|priv [OID]], the system adds only one of them to the snmpd.conf file.

Workaround:
Multiple views with the same community string are not supported.

540568-7 : TMM core due to SIGSEGV

Component: Local Traffic Manager

Symptoms:
TMM may core due to a SIGSEGV.

Conditions:
Occurs rarely. Specific conditions unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

539229-5 : EAM core while using Oracle Access Manager

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.

Conditions:
This event can be triggered while using the Oracle Access Manager.

Impact:
An unhandled exception will cause EAM to core and possible access outage.

Workaround:
No workaround

539013-4 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Symptoms:
After upgrading to 11.2.1 HF15, SNMPd might not reply when a GetRequest is sent to localhost, management IP, or to the self-IP address of the BIG-IP system.

Conditions:
Upon upgrading from 11.2.1 base install (with only the default comm-public community configured) to 11.2.1 HF15, the system boots up with no communities configured, even though no command was issued to remove the default comm-public community.

Impact:
SNMPD does not send replies to client.

Workaround:
Configure a 'public' SNMP community after upgrading to 11.2.1 HF15.

Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.

Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.

525429-7 : DTLS renegotiation sequence number compatibility

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.

524326-1 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips

Component: TMOS

Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.

Conditions:
User has deleted the last IP address on a GTM server.

Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.

Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.

524193-1 : Multiple Source addresses are not allowed on a TMSH SNMP community

Component: TMOS

Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.

Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.

Impact:
The command is accepted, but only the first address will be allowed snmp access.

Workaround:
Add an additional source address to another snmp community object that has the same community string.

523527-1 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★

Component: TMOS

Symptoms:
If you are directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.

Conditions:
- Upgrade from 10.x to 11.2.0 or later.
- Routing protocol enabled in tmrouted dbkeys.
- No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf

Workaround:
There are several workarounds to this issue:
- Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade.
- Re-adding the routing protocol to the RD0 configuration after the upgrade.
- Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.

Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.

Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.

Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.

Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example:

519068-5 : device trust setup can require restart of devmgmtd

Component: TMOS

Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.

Conditions:
This occurs when devices are being added to and deleted from the device trust.

Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.

Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).

517282-1 : The DNS monitor may delay marking an object down or never mark it down

Component: Local Traffic Manager

Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.

Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

517020-2 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.

516669-4 : Rarely occurring SOD core causes failover.

Component: TMOS

Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.

Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.

Workaround:
None.

515759-5 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time

Component: Local Traffic Manager

Symptoms:
tmm memory growth over time.

Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.

Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.

Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.

515667-1 : Unique truncated SNMP OIDs.

Component: TMOS

Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.

Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.

Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.

Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.

Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.

Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.

Impact:
New connections are reset without being able to send traffic.

Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.

Conditions:
The conditions that cause this are not yet known. This was discovered when ASM was provisioned

Impact:
Device keeps going offline/online.

506315-7 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.

Component: WebAccelerator

Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.

Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.

Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).

Workaround:
You can use any one of the following as a workaround:
-- Honor OWS lifetime headers (s-maxage and max-age).
-- Use an iRule to delete OWS Age header.
-- Increase cache AAM/WAM cache lifetime for that content to compensate.

In these cases, new traffic will continue going to a limited number of pool members.

Conditions:
Using OneConnect along with one of the following load balancing methods: ratio (node), least connections (node), observed (node) or predictive (node).

Impact:
Traffic does not balance across nodes as desired.

Workaround:
This can be partially mitigated if load balancing can be done with other methods; however, using these methods there is no workaround.

504633-4 : DTLS should not update 'expected next sequence number' when the record is bad.

Component: Local Traffic Manager

Symptoms:
DTLS updates the 'expected next sequence number' even if the record is bad. This might cause the unexpected sequence number of good records dropping.

Conditions:
DTLS receives a bad record with a very large sequence number.

Impact:
DTLS might drop the good records that have smaller sequence number packets than the bad records.

Workaround:
None.

503741-5 : DTLS session should not be closed when it receives a bad record.

Component: Local Traffic Manager

Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records:
'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.'

In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.

Conditions:
DTLS receives a bad record packet.

Impact:
DTLS disconnects the session.

Workaround:
None.

503257-2 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST

Component: Local Traffic Manager

Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.

Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.

Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.

Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.

Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.

Conditions:
This can occur when the following conditions are met:
- IP addresses and ports of SYN match an existing connection;
- Sequence number of the SYN is greater than 2^31+ from previously sent FIN;
- Existing connection is in TIME_WAIT state;
- Virtual server has time_wait_recycle enabled.

501612-1 : Spurious Configuration Synchronizations

Component: Application Security Manager

Symptoms:
Some items (for example, Incidents) were considered to be config elements that require synchronization when their status changes (such as being read), but are not actually synchronized in a device group.

Conditions:
Event Correlation Incidents occur and are read by the user while in a manual sync device group for ASM.

Impact:
The synchronization state of a device group erroneously changes to "Pending"

Symptoms:
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.

Conditions:
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons:

1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time.

2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry.

3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN.

4) Any unicast misdirection of NTP traffic to the management port not covered above.

495128-7 : Safari 8 continues using proxy for network access resource in some cases when it shouldn't

Component: Access Policy Manager

Symptoms:
If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so.

This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing.
Apple has been notified: rdar://problem/18651124

Impact:
EPS checkers can't be updated without clearing of the browser cache

492153-9 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.

Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.

Symptoms:
When a TLS client connects to a BIG-IP TLS server requesting TLS1.3, the handshake will fail. A message will be logged in the Local Traffic Manager (LTM) log about a handshake failure.

The estimated deployment of clients supporting TLS1.3 is 2016.

Conditions:
A TLS client handshake with the protocol version set to TLS1.3 in the ClientHello.

Impact:
Lower performance is the most likely outcome. The hanshake requesting TLS1.3 will fail, after which a client will reconnect with a TLS 1.2 hanhdshake and succeed.

The worst case scenario is inability to establish a connection for clients that only implement standard TLS version negotiation mechanism.

The estimated deployment of clients supporting TLS1.3 is 2016.

Workaround:
This issue has no workaround at this time.

489328-2 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.

Component: Access Policy Manager

Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.

Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

489217-4 : "cipher" memory can leak

Component: Local Traffic Manager

Symptoms:
When performing SSL handshakes, memory usage can increase. Examining "cipher" memory in the "memory_usage_stat" may show large amounts of "cipher"memory allocated.

Conditions:
BIG-IP performing SSL handshakes.

Impact:
Memory usage increases until no more memory is available.

488917-4 : Potentially confusing wamd shutdown error messages

Impact:
Unnecessary log messages generated, similar to the following:
-- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.

478751-7 : OAM10g form based AuthN is not working for a single/multiple domain.

Component: Access Policy Manager

Symptoms:
OAM10g form based AuthN is not working for a single/multiple domain.

Conditions:
Conditions leading to this issue include double encoding of parameters and race condition on parsing form body.

Impact:
Form based OAM authentication might not work.

Workaround:
This issue has no workaround at this time.

478674-7 : ASM internal parameters for high availability timeout was not handled correctly

Component: Application Security Manager

Symptoms:
The internal parameters bd_hb_interval and bd_hb_interval_low_platforms are not handled correctly and a different value is registered against the high availability (HA) system. This causes the system to have faster than expected failovers. Also, when bypass asm is turned on and a bigstart restart asm was applied, a failover happens.

Conditions:
Two possible conditions:
1. An internal parameter is configured for the timeout to the HA system. When ASM does not send a lifesign to the HA system for 10 seconds (instead of the configured time)
2. bypass asm is internal parameter is applied and a bigstart restart asm happens.

Impact:
A failover happens.

Workaround:
This issue has no workaround at this time.

477966 : Custom reports Available fields are broken

Component: Access Policy Manager

Symptoms:
When admin tries to create or edit Custom Report, the left pane shows endless amount of nested Available Fields folders instead of the fields. The user interface stops responding and the user needs to restart the browser.

Conditions:
This issue only happens when something is wrong in installation that prevents the table apm.log_param_metadata_ui from being created.

This rarely happens.

Impact:
User cannot create custom report.

Workaround:
The user can restart the BIG-IP system to fix custom report error. Make sure the table apm.log_param_metadata_ui is created in mysql db.

474226-3 : LB_FAILED may not be triggered if persistence member is down

Component: Local Traffic Manager

Symptoms:
LB_FAILED may not be triggered if persistence member is down.

Conditions:
This occurs when the following conditions exist: - Incoming connection has cookie matching persistence entry. - Persisted pool member has been marked down. - No other pool members are available.

473348-3 : SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later

Component: TMOS

Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.

Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.

Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.

Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure:
1. Run the command: bigstart stop snmpd.
2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file.
3. Run the command: bigstart start snmpd.

470389 : APM garbled characters observed in APM logs

Component: Access Policy Manager

Symptoms:
Garbled characters (or control characters) are seen in the /var/log/apm log file.

Conditions:
This issue occurs under the following conditions: username/password are not provided when accessing the virtual; Network Access resource is launched and VPN is established; and when accessed from another browser, the first session is killed and sometimes garbled characters appear.

462714-9 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server

Component: Local Traffic Manager

Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.

Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP, or ESP, are definitely affected.

Impact:
Source address persistence is not usable as the entry ages out when it should not.

Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.

Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.

Impact:
SQL monitors do not work as expected. They might hang or only intermittently return results.

Workaround:
None.

460939-6 : ObAccessException thrown by OAM SDK while checking if the resource is protected is not handled properly in EAM plugin.

Component: Access Policy Manager

Symptoms:
On the EAM Client side handler while processing TMEVT_INGRESS, ObAccessException is sent from the Oracle Access Manager (OAM).

Conditions:
The exact conditions required to reproduce the error are unknown. However, in rare instances, the OAM SDK throws the ObAccessException while checking whether the requested resource is protected by accessgate.

Impact:
EAM process cores and restarts. This exception is thrown in very rare instances, and in those cases, the unhandled exception causes the EAM plugin to core. The EAM process is restarted, and then handles user requests.

Workaround:
None.

460176-1 : Hardwired failover asserts active even when standalone

Component: TMOS

Symptoms:
In BIG-IP software versions 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, and 12.0.0, the serial failover 'Active' signal is asserted even if the unit is not configured to be in a high availability (HA) pair. A unit can become Standalone if the configuration is reset, or if a return merchandise authorization (RMA) is performed. If the serial cable is still connected to its peer, then the HA peer may defer the Active status to the Standalone system, which does not actually take over and process traffic.

Conditions:
Serial cable failover in-use between two members of an HA pair.

Impact:
Traffic is interrupted when the Active unit transitions to Standby.

Workaround:
During an RMA, the serial cable failover can be temporarily disabled on the Active unit by issuing the following command:

Symptoms:
The use of regex or glob patterns in certain MCP configuration objects leads to inconsistent parsing across MCP and TMM. For glob patterns, for example, the TMM produces an error indicating that the regex is invalid, while entries such as *.js are correctly treated as globs.

Symptoms:
TMM was cored due to memory corruption caused by a double free in form based SSO. A forms-based SSO control failing to decrypt could lead to a double free. The decryption failure message is logged in LTM log.

Conditions:
Double free and TMM core could happen only if forms-based SSO control failed to decrypt.

452660-1 : SNMP trap engineID should not be configsynced between HA-pairs

Component: TMOS

Symptoms:
When configuring an engine_id for a SNMPv3 trap destination, the engine_id was synchronized to all HA peers.

Conditions:
All

Impact:
Received SNMPv3 traps would appear as if they originated from the same Big-IP system after failover to a backup Big-IP.

Workaround:
Workaround is to disbale configsync (change 'yes' to 'no') on engine_id in /defaults/config_base.conf. However, you must first remount the /usr partition to modify the file and then run tmsh load. For more information on remounting the /usr partition, see SOL11302: The /usr file system is mounted in read-only mode
at https://support.f5.com/kb/en-us/solutions/public/11000/300/sol11302.html

451806-7 : Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings

Component: Access Policy Manager

Symptoms:
The Network Access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled.

Conditions:
Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings.

Impact:
Admin UI component placement is changed.

Workaround:
The Network Access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled.

451250-1 : Detected DoS traffic can still reach the server

Component: Application Security Manager

Symptoms:
When bypass_upon_load internal parameter is turn on, and there is a high load, a part of the detected DoS and brute force attacking traffic may bypass the ASM and reach the server.

Conditions:
This can occur if bypass_upon_load is set to true.

Impact:
ASM marks the traffic as dropped but LTM still passes it to the server.

Symptoms:
URL dos attacks may be detected, even if the URLs mitigation is not marked and detection criteria is not configured. A workaround can be to configure very high numbers at the URL detection criteria, and then un-mark the URL mitigation.

Conditions:
This can occur if you have only an IP based rate limit.

Impact:
False detection of DoS attack.

Workaround:
A possible workaround would be to set higher value for the URL detection criteria (check a url mitigation to make the detection criteria visible in the GUI, change the values and uncheck it back).

449798-2 : Race condition on secondary blade where bigd service sometimes does not get built-in monitors

Component: Local Traffic Manager

Symptoms:
There is a race condition on secondary blade in which the bigd service sometimes does not get built-in monitors.

Conditions:
Intermittently, when a failure on a VIPRION blade in a clustered system causes mcpd to restart, the bigd service does not receive configuration information for built-in monitors, causing the service to log failures and misidentify which monitors it should be running.

Impact:
Causes some nodes/pool members to not be monitored, while others may be monitored by multiple bigd processes in the cluster. The system posts messages similar to the following in LTM and logs: -- err bigd[9433]: 01060129:3: Template /Common/postgresql is not initialized. -- err bigd[9433]: 01060129:3: Per-invocation log rate exceeded; throttling.

Workaround:
Manually restart bigd on the affected blade.

449617-4 : SSL-key file object configuration fails to validate when it includes a passphrase

Component: TMOS

Symptoms:
If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration.

Conditions:
Passphrase present in ssl-key file object

Impact:
Configuration fails to load

Workaround:
Remove passphrase line from the file object.

449526-3 : LB::prime iRule with SIP filter can result in a core

Component: Local Traffic Manager

Symptoms:
Rarely LB::prime iRule with SIP filter can result in a tmm core due the flow control mechanism added in the SIP hudfilter and the fact that LB::prime, adds necessary count of prime messages in Q and calls mblb_connect synchronously which has the potential to traverse the entire serverside chain.

Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.

Symptoms:
If "Complexity check for Password Reset" option is enabled in an Active Directory (AD) agent, then the APD process may throw an exception in some conditions. That will cause APD to leak memory.

442618-6 : TMM may core in low memory situations

Conditions:
The BIG-IP system cannot keep up with incoming packet rate, leading to allocated memory build-up.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

442532-1 : Log shows "socket error: resource temporarily unavailable"

Component: Access Policy Manager

Symptoms:
Response could not be sent to remote client. This happens rarely with huge access policy configuration. We could not reproduce the issue.

Conditions:
Conditions leading to this issue are not yet known.

Impact:
Box still works okay. Reconnect works.

Workaround:
This issue has no workaround at this time.

442333-1 : Cluster HA state not updated correctly

Component: Access Policy Manager

Symptoms:
Cluster HA state is not getting properly updated.

Conditions:
This occurs in an HA environment at failover time on chassis systems with 2 slots (one primary and other secondary).

Impact:
At failover, all traffic should go to next primary slot. In this case, traffic goes to wrong slot. This causes APD and APMD to stop executing the access policy, and traffic to be dropped,

441631-1 : WebSSo may take 100% if new instance started manually

Component: Access Policy Manager

Symptoms:
100% of CPU resources could be used by the websso process if it is not started properly. A WebSSO session should be started/restarted using bigstart script.
However, if /etc/bigstart/scripts/websso.start script is running manually when previous websso.N proccesses are still working, then it will bring up new websso.N instances that will cause original websso.N proccess to spin in a loop and could use up to 100% of CPU resources.

Conditions:
websso started manually

Impact:
original websso.N do not function properly and takes ~100% CPU

Workaround:
bigstart restart websso

441601-1 : Response is truncated in the log

Component: Application Security Manager

Symptoms:
Response is truncated in the ASM events log when the client closes the connection before the response arrives.

Conditions:
This issue occurs when all of the following conditions are met:

-- The active BIG-IP APM system experiences a failover event, causing the peer standby BIG-IP APM system to become active.
-- The newly active BIG-IP APM system also experiences a failover event, causing the initial active BIG-IP APM system now in standby to become active.
-- Users have established network access sessions with either of the BIG-IP APM systems prior or between failover events.

Impact:
Network access sessions fail to reestablish.

Workaround:
No workaround. Failovers triggered because of tmm crash or reboots do not have this problem.

Symptoms:
SNMP DCA monitor reject delayed responses with ICMP unreachable result. Within the threshold of configured timeout and retry, in the event of an ICMP unreachable, the monitor marks the weight to the default (1).

440589-2 : Deleting a virtual server where Oracle Access Manager (OAM) support is enabled with an AccessGate assigned to it, also deletes the associated AccessGate object in the corresponding AAA OAM object.

Component: Access Policy Manager

Symptoms:
Deleting a virtual server where Oracle Access Manager (OAM) support is enabled with an AccessGate assigned to it, also deletes the associated AccessGate object in the corresponding AAA OAM object.

Conditions:
This issue occurs when deleting a virtual server that has OAM support enabled and an AccessGate object assigned to it.

Impact:
The associated AccessGate object is also deleted from its corresponding AAA OAM object.

Workaround:
None. This is by design. Using multiple virtual servers with the same AccessGate is not supported.

Symptoms:
Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice.

Conditions:
Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page).

Impact:
Resource is loaded twice and this can possibly change behavior of backend.

A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command.
The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.

Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.

Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.

440051-2 : There is an issue concerning how the system applies security checks on partial responses.

Component: Local Traffic Manager

Symptoms:
There is an issue concerning how the system applies security checks on partial responses.

Conditions:
Occurs when the system processes partial responses.

Impact:
Detection/handling of truncated responses.

Workaround:
None.

439977-3 : apd crash in AD module

Component: Access Policy Manager

Symptoms:
APD process may crash when running AD Agent

Conditions:
the intermittent crash of apd process may happen if:
- group cache update is required
- DC is not available / connection to DC failed

Impact:
apd crashed and restarted

Workaround:
NA

439887-1 : OWA2010 works incorrectly in Chrome via portal access

Component: Access Policy Manager

Symptoms:
Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM Portal Access from the Chrome v.31.x browser.

Conditions:
APM Portal Access from the Chrome v.31.x browser

Impact:
Navigation and message copy/move operations can be done using the keyboard only; mouse operations might not work.

Workaround:
Use Chrome v.40 or later.

439709 : WAM occasionally serves zero-length content

Component: WebAccelerator

Symptoms:
A burst of simultaneous requests for a small expired document can result in incorrectly serving and caching the document as 0 length.

Conditions:
Requesting a compressed document which is smaller than 4k compressed but larger than 4k when uncompressed.

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:

when PERSIST_DOWN {
persist delete source_addr [IP::client_addr]
}

For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.

Conditions:
WebSSO appends SSO parameters to the payload from a POST request without adding the ampersand (&) delimiter.

Impact:
WebSSO does not update Content-Length on sending to backend server.

Workaround:
This issue has no workaround at this time.

437773 : Some LACP trunk members are missing after rebooting primary blade

Component: TMOS

Symptoms:
Some of the Link Aggregation Control Protocol (LACP) trunk members are missing after rebooting the primary blade.

Conditions:
This occurs on VIPRION chassis with more than one blade, configured for LACP after rebooting the primary blade.

Impact:
Some LACP trunk members are missing.

Workaround:
If you have not saved the configuration in the bad state (that is, saved the configuration while the LACP trunk members are missing), you might be able to recover by running the command: tmsh load sys config.

436201-7 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11

Conditions:
- A virtual server with UDP profile. This is more likely to occur if the UDP profile 'Datagram LB' option is enabled and/or if the UDP profile timeout is 0 or 'immediate'.

- An ICMP packet (such as destination-unreachable) arrives matching the IP and port tuple of an old UDP connection just after a new UDP packet arrives from a client with the same tuple for a new connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If the UDP profile timeout is set to 0 or 'immediate', consider increasing this value.

Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.

For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:

Platform
Name D113

instead of the official platform marketing name, such as:

Platform
Name BIG-IP 10000F

Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.

Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.

434517-5 : HTTP::retry doesn't work in an early server response

Component: Local Traffic Manager

Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.

Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.

Impact:
Typically, early server responses are error conditions.

Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.

434400-9 : tmm might core with rate-limiting on virtual server

Component: Local Traffic Manager

Symptoms:
tmm might core when rate-limiting is configured on a virtual server.

Conditions:
This occurs on a virtual server with rate-limiting enabled and unexpected filter operations that send LB selection after connection is in progress. This might also occur with an iRule that behaves similarly, for example, issuing an LB command after a TCP::release.

Impact:
Traffic disrupted while tmm restarts.

433972-3 : New Event dialog widget is shifted to the left and Description field does not have action widget

Component: Access Policy Manager

Symptoms:
When you access Microsoft SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.

Conditions:
After upgrading, ASM keeps logging error messages, but there is no impact on the traffic.

Impact:
The error message is mostly benign. It occurs on storing counters for web scraping attacks to the database, and could include records for multiple policies in a single update. If the failing record were inserted in a batch, all records in the batch will be silently lost. However, under most conditions, individual records will be saved, so this is unlikely to have an impact.

Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this:

Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.

Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.

Workaround:
Create the directory /shared/apm and try to load the configuration again.

Symptoms:
Authentication with Oracle Access Manager API can throw an exception while obtaining redirect URL. This is an intermittent issue.

Conditions:
It could be triggered when ASDK fails to return the URL string for redirection or if it returns null string.

Impact:
Without the fix, the unhandled exception cause EAM core and service outage. With fix, the exception is handled gracefully and return an eror page with error message to end user. The process will not core.

Symptoms:
The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.

431216-2 : Client proxy settings do not work when using Network Access with Internet Explorer 11

Component: Access Policy Manager

Symptoms:
Internet Explorer does not recognize Proxy Auto-Configuration (PAC) files specified with the "file://" prefix. As a result Client proxy settings does not work when using Network Access with Internet Explorer 11.

Symptoms:
The internal XML schema processor does not support the global attributes mustUnderstand and encodingStyle on the Envelope element as being global, and it should. As a result, violations are incorrectly triggered.

Impact:
A violation is triggered even though the WSDL is configured to allow it.

430073-1 : Slow GUI response when navigating to the Parameters

Component: Application Security Manager

Symptoms:
Any navigation away from and back to this page incurs the same delay, and opening multiple pages in tabs will incur a cumulative delay (the customer has experienced a delay of 75 seconds when opening 5 tabs showing parameter details)

Conditions:
Simply navigating to Application Security -> Parameters -> Parameter List will show the same issue.

Impact:
Given a normal workflow through ASM this is causing significant problems in day-to-day management operations.

429617-1 : Full APM Webtop does not work Windows RT clients

429561-4 : User-defined ACLs List Incorrectly Displays

Component: Access Policy Manager

Symptoms:
The list of User-defined ACLs is expected to display only ten listings per page. If more than ten ACLs exist, end-users can switch between listing pages by selecting the page number or the "Show All" option from the drop down element under the lower right of the main table. Similarly, end-users should be able to click the arrows that appear to either side of the aforementioned drop-down element to navigate to a different page of listings.

Currently, only the first ten ACLs are listed even when end-user selects a different page number from the drop-down or when the navigation arrows are used.

Conditions:
When more than ten User-defined ACLs exist.

Impact:
End user may be unaware of all ACLs that exist.

Workaround:
From the drop-down element, the "Show All" selection will still work to display all listings.

The `tmsh list apm acl` can be run from the command line.

429011-5 : No support for external link down time on network failover

Component: Local Traffic Manager

Symptoms:
For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable.

Conditions:
This occurs on BIG-IP 2000 series and 4000 series platforms.

Impact:
No support for external link down time on network failover.

Workaround:
None.

428952-3 : Timer event for an expired connection.

Component: Application Security Manager

Symptoms:
The customer may face a crash on slow post request.

Conditions:
This issue occurs when a slow post request with timer expired on released connection.

2. Change the guests's management IP in the guest (TODO: verify if this also works), to override the one passed in by the hypervisor.

426209-1 : exporting to a CSV file may fail and the Admin UI is inaccessible

Component: Access Policy Manager

Symptoms:
If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible.

Conditions:
When the amount of report data is large.

Impact:
The Admin UI is inaccessible.

Workaround:
Avoid exporting large amounts of report data.

425980-1 : Blade number not displayed in CPU status alerts

Component: TMOS

Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued.
The slot number where the blade-specific condition is not included in message in the LCD display.
In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.

Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.

Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed:
1. tmsh show sys hardware
2. tmctl cpu_status_stat

425953-1 : Commit ID not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
The accounting information used to track sync status does not get copied to secondary blades of chassis. If one of them becomes primary then it may appear out of sync.

Conditions:
This happens very rarely; the chance is greater with a higher number of Tcl expressions with session variables in APM configurations. APD must be processing an access policy with Tcl expressions using session variables while the administrator makes a configuration change to one of the policies containing Tcl expressions.

424936-3 : apm_mobile_ppc.css has duplicate 1st line

Component: Access Policy Manager

Symptoms:
An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and
causes an error like this one:
Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client 127.1.1.4] PHP Parse error: syntax error, unexpected '&amp;lt;' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2

Impact:
Generate an error message in /var/log/http_errors log file.

Workaround:
To work around the problem, remove the extra line
("<?") from var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css.

424768-3 : websso doesn't log startup process

Component: Access Policy Manager

Symptoms:
when websso starts up, it doesn't log any messages until it reads some variables from mcpd

Conditions:
websso is configured

Impact:
in some situations it's impossible to figure out why websso can not start, as there is no indication of a problem in the logs.

Workaround:
NA

424371-5 : Protected Workspace does not work on Windows 8.1

Component: Access Policy Manager

Symptoms:
Protected Workspace does not work on Windows 8.1.
Internet Explorer 11 and Windows Explorer cannot start on the Protected Workspace Desktop.

Impact:
Config load could fail if the target system doesn't have transceivers installed in all SFP ports designated as trunk members by the incoming config.

Workaround:
Install transceivers before configuring the BIG-IP.

424313-2 : When profile is copied images are not copied together with it

Component: Access Policy Manager

Symptoms:
If you copy a policy that has two images assigned with the same object but in different languages, at least one of images will not get copied.

Conditions:
Object that support customizaiton and images, two images assigned at the same spot for different languges

Impact:
All customizable objects with images

Workaround:
Copy profile than reassign missing images manually

424248-4 : Virtual servers bind failure on some tmm's

Component: Local Traffic Manager

Symptoms:
Packets arriving on the BIG-IP system that should match a specific virtual server are dropped, or are matching a less-specific virtual server. In this case, the virtual servers have failed to bind on some tmm's and therefore not able to forward traffic.

When a client uses passive FTP, and there are multiple control connections, the data connection of a client might end up going to one of the other duplicate listeners, resulting in the data connection eventually going to the wrong server/poolmember.

Conditions:
Two or more virtual servers that are listening on the same ip, port, and protocol but have different vlan assignments, typically with a vlan enable list on one, and a vlan disable list on the other, although this may not be strictly required.

For the FTP case, the client must be using passive FTP. Also, there must be at least two FTP control connections from the client.

Impact:
Dropped or misdirected traffic. Misdirected in the sense that the traffic does not match the more-specific virtual server and is matched to a less-specific one or dropped outright.

The passive FTP data connections from a client may end up going to the wrong server.

Workaround:
At this time, we recommend using vlan enable lists for all virtual servers that are listening on the same ip, port, and protocol as a workaround if the customer runs into this issue.

This workaround does not apply to the passive FTP issue.

423803-1 : PSM Virtual server associations are lost after CMI sync.

Component: Application Security Manager

Symptoms:
If the configuration between devices in a device group is not fully synchronized, the association between Virtual Servers and HTTP Profiles may be lost.

Conditions:
This occurred when the same VS and FTP profiles existed on both devices, but the ftp profile had security enabled on A and disabled on B.

Impact:
If the LTM configuration between devices in a CMI group are not synchronized, then PSM associations can be lost.

Symptoms:
The compression setting pull-down is available on the Network Access resource page. If an end-user sets this to GZIP when compression is not licensed, the system posts a TMM error explaining that compression license limit has been exceeded for the day.

Conditions:
Set compression to 'GZIP compression' using a box that does not have compression licensed. Run traffic.

422460-9 : TMM may restart on startup/config-load if it has too many objects to publish back during config load

Component: TMOS

Symptoms:
TMM restarts without any core file on startup or when mcpd is loading the configuration if the size of configuration is considered big (for example over 1000 passive monitors).

Conditions:
This issue occurs when all of the following conditions are met:
-- The mcpd process loads a large configuration with thousands of objects.
-- The platform is running 12 or more TMM instances (BIG-IP 11000, 11050 platform, or VIPRION B4300 blade).

Workaround:
This workaround is a mitigation and may not work in all cases; the zero-window timeout may need to be adjusted to a higher value for some configurations.

To work around this issue, increase the timeout used for the MCP connection.

1. Open the tmm_base.tcl file for modification.
2. Locate the tcp _mcptcp stanza.
3. Add the following line:
zero_window_timeout 300000

This lengthens the timeout, which avoids the restart. For more information, see SOL14498: The mcpd connection to TMM may time out on either startup or configuration load and cause TMM to restart, available here: http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14498.html.

Symptoms:
If you use 3rd party PPTP VPN connection and connect to BIG-IP Edge Gateway over this PPTP tunnel, MAC OS X Edge Client will fail to connect after initially establishing successful connection with BIG-IP Edge Gateway.

Conditions:
MAC OS X inbuilt PPTP client software, BIG-IP Edge Gateway and BIG-IP MAC OS X Edge Client.
Its untested but its very much possible to see this issue with some other third party PPTP client software too.

421451-1 : Policy Builder process exits with core if there are too many URLs in the Extraction list

Component: Application Security Manager

Symptoms:
If user adds to a policy large amount (~1700) of URLs in extractions list (Security > Application Security : Parameters : Extractions > Create New Extraction...) the Policy Builder can be shot down with a core by its internal watchdog.

Conditions:
Large amount of URLs added at once to extractions list.

Impact:
The Policy Builder is restarted.

Workaround:
Mitigation: install TMOS v11.2.1 HF8

Workaround: Press "Save button" every time you add a small amount of URLs (10-20) to the Extractions List.

421450-1 : ---

Component: Application Security Manager

Symptoms:
In 11.2.1-hf8 and later hotfix, ASM Enforcer may parse multi part parameters which violate RFC.

421429-5 : Client-initiated renegotiation for server ssl profile does not work with DTLS when it connects to another BIG-IP clientssl.

Component: Local Traffic Manager

Symptoms:
Client-initiated renegotiation for Server SSL profile does not work with DTLS when it connects to another BIG-IP Client SSL.

Conditions:
This issue occurs when the following condition is met: A BIG-IP system configured with a Server SSL profile attempts to renegotiate a DTLS connection with a BIG-IP system configured with a Client SSL profile, as follows:

420977-2 : Improved the system's placement of ASM JavaScript code.

Component: Application Security Manager

Symptoms:
If you have pages where browser compatibility is maintained via the use of the '<meta http-equiv="X-UA-Compatible" content="IE=8" />' tag, the CSRF script could be injected into the wrong place.

Conditions:
When you enable CSRF protection, the site breaks because the CSRF javascript is injected in the page before this tag. If you have other meta tags, the injection takes place after the first meta tag, that show up before the "X-UA-Compatible" one.

Impact:
CSRF script gets inserted after the first meta tag, not after the X-UA-Compatible meta tag. This can cause certain versions of Internet Explorer (IE10) to not load the pages properly.

Workaround:
This issue has no workaround at this time.

420893-1 : Process errors in wamd

Component: WebAccelerator

Symptoms:
The wamd process can core under heavy pdf linearization or image optimization load if disk or RAM resources abruptly become low.

Conditions:
If a disk or ram shortfall occurs abruptly and OWS is slow enough in responding, WAM may initially decide it has enough disk and ram to optimize but discover later it does not. This is mostly handled properly but there was one unlikely corner case which was not.

Impact:
wamd cores and restarts

Workaround:
If the shortfall is disk, free more space in /shared. If the shortfall is RAM, increasing RAM may help slightly.

420585-1 : DNS cache resolver stability improvements

Component: Local Traffic Manager

Symptoms:
TMM crashes when using a DNS cache resolver or validating resolver. In a failover scenario the same result occurs on the newly active system.

420580-3 : DTLS handshake fails when BIG-IP receives datagrams out of order

Impact:
Clients may fail to establish DTLS sessions with the BIG-IP system. The BIG-IP system responds with an incorrect DTLS handshake.

Workaround:
None.

420376-2 : ASM crashed during ASM encoding configuration

Component: Application Security Manager

Symptoms:
When a security policy has an encoding that has many secondary encodings (such as the Chinese encoding), and it receives transactions with parameters or URLs in different secondaries encoding at some high rate, if at the same the user reconfigures the security policy and changes the encoding to one of the secondary encodings, there is a chance that the Enforcer internal encoding table will get corrupted.

415008-1 : ---

414370-3 : ACCESS::disable and ASM may send TCP reset

Conditions:
Both access profile and asm profile are assigned to a virtual.
And
The iRule ACCESS::disable is used on the virtual.

Impact:
Minimal. Most clients will automatically retry, and the retry will succeed. Most users will not notice this error.

Workaround:
None

413689 : ntlm + oneconnect + persistence + v2 plugin can cause crash

Component: TMOS

Symptoms:
If you apply NTLM, OneConnect, Persistence together WITH a V2 (TMI) Plugin, the TMM can crash.

Conditions:
The specific filters indicated above, together, can result in a TMM crash.

Impact:
TMM restarts, connections lost.

Workaround:
None.

413477-1 : Potential failure to connect or persist to server using iRule commands

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might either fail to load balance when the iRule 'pool' command is used, or choose the wrong pool member if multiple iRule 'persist' commands are used in the same connection.

Conditions:
This occurs when an iRule that runs the 'pool' command is assigned to a virtual server with fallback persistence and no default pool, or an iRule which runs the 'persist' command multiple times.

Impact:
A portion of traffic fails to be sent to a correct pool member.

Workaround:
If fallback persistence is configured on the virtual server, also configure a default pool on the virtual server. If an iRule has the potential to run multiple 'persist' commands on the same CLIENT_ACCEPTED or L7 request event, you can modify the iRule to ensure 'persist' command runs only once, if it is appropriate for the traffic. For more information, SOL14628: Connections may stop responding or be directed to an incorrect pool member.

413354-1 : Port selection algorithm may prematurely reuse port

Component: Local Traffic Manager

Symptoms:
A BIG-IP system may reuse an ephemeral port which was recently used for a previous flow. This results the BIG-IP system sometimes being unable to pass FTP traffic.

Conditions:
This occurs when port range is used. since FTP use port range code, It can be observed often in FTP traffic.

412493-2 : ---

412201-2 : ---

411591-2 : ospfd core dump when redistributing ospf routes over ospf

Component: TMOS

Symptoms:
The ospfd is dumping a core when ospf routes from other ospf instances are redistributed continuosly.

Conditions:
The ospfd is dumping a core when ospf routes from three ospf peers are configured to redistribute and no redistribute repeatedly into a fourth ospf instance on a BIGIP while the interface of the fourth ospf peer is flapping.

Impact:
ospfd termintaes on BIGIP.

Workaround:
None

411405-1 : Port may become temporarily unavailable in cmp mode

Component: Local Traffic Manager

Symptoms:
Some ports are not reusable immediately in cmp mode.

Conditions:
CMP-compatible platforms, and a virtual server is configured to use the same port as another virtual server, even if that virtual server is configured to timeout immediately.

410800-1 : Learning suggestion cleaning order

410604-3 : websso daemon may crash due to memory exhaustion for large size HTTP POST

Component: Access Policy Manager

Symptoms:
The websso daemon may crash due to memory exhaustion.

Conditions:
When the client send HTTP POST with large size payload (i.e., hundreds of megabytes), it is possible that will cause the websso daemon run into memory exhaustion situation, where the websso may core dump due to malloc failure. This is typically exaggerated or more likely to happen when the BIGIP platform is already under memory pressure at system level, for example, having many modules provisioned on a low end BIGIP platform.

Impact:
The websso will be restarted, and the operation at the time may hang until the TCP connection times out (which is 5 minutes by default).

410578-3 : ActiveSync fails with Kerberos SSO

Component: Access Policy Manager

Symptoms:
An ActiveSync client uses Basic HTTP authentication. When used with APM Kerberos SSO, APM fails to delete the authorization HTTP header from the client and adds another header for Kerberos. This results in two headers, causing the server to respond with 400 Bad Request.

Conditions:
1. Configure Kerberos SSO with always-insert-Authorization-header enabled.
2. Establish APM session.
3. Send a request with valid MRHSession cookie including a HTTP Authorization. (any method is OK).
4. Verify that request which forwarded to the backend will have two Authorization header.

Impact:
APM fails to delete the authorization header from the client and adds another header for Kerberos. This results in two headers causing the server to respond with a 400 Bad Request

Symptoms:
TMM may produce a core file when reselecting a pool member for a FastL4 virtual server.

Conditions:
This issue occurs when all of the following conditions are met: -- The affected virtual server is a FastL4 virtual server. -- The affected virtual server uses a pool configured with Action On Service Down set to Reselect. -- A pool member from the affected pool is marked down, requiring TMM to perform a reselect to service a subsequent request.

Impact:
When servicing a connection for a FastL4 virtual server, if the TMM is required to reselect a new pool member for a subsequent request, a segmentation violation (SEGV) may occur. TMM may produce a core file and temporarily fail to process traffic.

Workaround:
None.

410338-2 : APM does not correctly recover the iSession control channel after the server closes a transport TCP connection.

Component: Access Policy Manager

Symptoms:
APM does not correctly recover the iSession control channel after the server closes a transport TCP connection.

Symptoms:
TCP monitor doesn't send out any SYNs for ~190 seconds or SYNs at 0,3,9,21,45,92 seconds and then retry at 189.

Conditions:
This issue occurs when the following conditions are met:

The pool member is monitored with a health monitor that uses TCP. For example, a TCP, HTTP, or HTTPS monitor.

Note: This issue has primarily been reported to affect HTTPS health monitors.
The pool member is unresponsive to the health monitor.
The bigd process should continue to monitor a pool member after the system has marked the pool member as Down. However, when a down pool member continues to be unresponsive after being marked Down, the bigd process may check the pool member less frequently than expected. As a result, the bigd process may experience a delay of several minutes before sending a health check and discovering that the affected pool member has recovered.

Impact:
The system may not mark recovered pool members Up in a timely manner.

407327-2 : Internet Explorer in "desktop mode" on Windows Phone 8

406971-1 : Logout causes javascript error

Symptoms:
After clients log out, they get a javascript error: 'length' is null or not an object

Conditions:
Portal access in use and client logs out

Impact:
Javascript error occurs on the client; this error can be ignored.

405673-3 : Mirrored TCP flows do not function properly due to HA Channel instability and may even core

Component: Local Traffic Manager

Symptoms:
Under conditions of HA channel instability such as HA traffic being dropped, the mirrored TCP flows on the standby become unusable. They get into unreliable states and may even result in a tmm core

Conditions:
HA channel instability resulting in loss of HA packets is needed for this to manifest.

Impact:
Mirrored flows on the standby lose their integrity and get into an unstable state, and this may even result in a tmm core. Traffic disrupted while tmm restarts.

Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.

Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.

Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.

Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.

405438 : tmm core while provisioning WOM to dedicated and LTM to none in rapid succession

Component: TMOS

Symptoms:
After provisioning WOM to dedicated, tmm will continually restart, and the only way to get out of the restart loop is to install BIG-IP to another slot and boot to it.

Conditions:
Provisioning WOM to dedicated, and provisioning LTM to none.

405365-3 : ---

Symptoms:
Previously, under certain circumstances an interrupted connection could prevent the ActiveSync client from logging on. This has been corrected.

405348-7 : ActiveSync POST fails when body is larger than 64k.

Component: Access Policy Manager

Symptoms:
Sending of large mail (body greater than 64 KB) fails with an ERR_NOT_SUPPORTED message in /var/log/apm when using ActiveSync.

Conditions:
This occurs when the following conditions are met:
ActiveSync configured on the BIG-IP system.
Email is sent with a large attachment, when the device sending the email currently has no active session.

Impact:
Large POST bodies as in those found in emails with large attachments will not successfully send. The message fails to send with an error message that asks to use the mail server directly.

Workaround:
Modify the db variable 'tmm.access.maxrequestbodysize' to a value greater than the default, 64 KB.

405001-1 : ---

Component: Application Security Manager

404461-1 : ---

Component: Access Policy Manager

404239 : APM client for Microsoft Windows fails to establish a VPN connection if DTLS is configured on a link with 50-200 msec delay.

Component: Access Policy Manager

Symptoms:
APM client for Microsoft Windows fails to establish a VPN connection if DTLS is configured on a link with 50-200 msec delay.

Conditions:
DTLS is configured on a link with 50-200 msec delay.

Impact:
APM client does not fall back to TLS.

Workaround:
None.

403702-2 : Valid SOAP request fails schema validation

Component: Application Security Manager

Symptoms:
XML Schema processor incorrectly processes the extension of empty complex type with empty sequence. When you pass a SOAP request, you see an error "XML data does not comply with schema or WSDL document"

Conditions:
An ASM XML policy is configured

Impact:
The SOAP request fails to validate and ASM returns an error

403326-2 : Prevent caching of landing URI

Component: Access Policy Manager

Symptoms:
In web application access mode, when you try to access a backend server file, such as an Excel file, as the first request, APM adds some cache-related headers that do not allow Internet Explorer to open the file.

Conditions:
In web application access mode, when you try to access a backend server file, such as an Excel file

Impact:
Internet Explorer may not allow you to open the file.

Workaround:
Adjust cache control headers in the first object that APM accesses to maintain current behavior and work around Internet Explorer bug detailed in Microsoft Knowledge Base article 323308.
http://support.microsoft.com/kb/323308

403283-3 : Connecting to a site with a certificate problem might be possible.

Component: Access Policy Manager

Symptoms:
It might be possible to a site with a certificate problem.

Conditions:
Attempting to connect to a site with a certificate problem.

Impact:
Connection completes successfully when it should not.

Workaround:
None.

402840-2 : EAM restarts on using non urlencoded % parameter

Component: Access Policy Manager

Symptoms:
Oracle ASDK throws an unknown exception on using a non urlencoded % character in a URL parameter list. A fix needs to be implemented in the Oracle ASDK to avoid this unwanted exception.

Symptoms:
Provisioning Virtual Clustered Multiprocessing (vCMP) on 2000/4000 series platforms can cause a kernel panic. vCMP is not supported on these platforms.

Conditions:
This can occur on the 2000/4000 series platforms.

Impact:
A kernel panic can occur.

Workaround:
The release notes contain information about which platforms support vCMP. You can also check the AskF5 Knowledgebase. If a vmdisks application-volume was created on a platform that does not support vCMP, it should be removed.

396729-4 : Two mirroring connections and fastL4 connections

Component: Local Traffic Manager

Symptoms:
If you have configured two mirroring connections (both a primary and secondary pair), when the inactive mirror connection is dropped and then re-established, fastL4 connections expire on the standby after the timeout. To work around this issue, configure only one mirroring connection.

Conditions:
This occurs when using fastL4 and configuring two mirroring connections on an inactive mirror connection that is dropped and then re-established.

Impact:
The fastL4 connections expire on the standby after the timeout.

Workaround:
To work around this issue, configure only one mirroring connection.

Symptoms:
In some route domain and SNATpool deployments, the APM virtual server is not accessible. You may see this log signature in /var/log/ltm: tmm err tmm[3025]: 01230140:3: RST sent from <ip_addr> to <ip_addr>, [0x1338439:289] Internal error ((APM::SSO) trans begin failed)

Conditions:
This can occur if you have route domains configured and snat pools are in use.

Impact:
Traffic will not pass.

395974-1 : EDGE: Assertion "peer ref valid" failed.

Component: Wan Optimization Manager

Symptoms:
EDGE: Assertion "peer ref valid" failed.

Conditions:
APM.

Impact:
TMM crash.

Workaround:
None.

395720 : Ethernet devices not getting renamed on BIG-IP 4000

Component: TMOS

Symptoms:
On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7.

Conditions:
This occurs on the BIG-IP 4000.

Impact:
Ethernet devices do not get renamed.

Workaround:
To work around this issue, reboot the device.

395570-2 : TCP::Collect iRule can cause TMM failure.

Component: Local Traffic Manager

Symptoms:
TMM can fail when traffic sent to a SSL VIP.

Conditions:
Use of a TCP::Collect iRule together with the SSL filter being in use can cause a TMM failure.

Impact:
TMM Outage.

395160-1 : Multiple simultaneous requests to optimize an image before it is cached results in performance impact.

Component: Performance

Symptoms:
Multiple simultaneous requests to optimize an image before it is cached may result in re-optimizing that image more times in this release than in the previous release.

Conditions:
This occurs only when using 11.2.1 and there are multiple simultaneous requests to optimize an image before it is cached.

Impact:
Performance impact due to re-optimizing that image more times.

Symptoms:
When setting the baud rate for the front panel serial management port using the AOM command menu, the LCD display does not reflect the baud rate change until fpdd is restarted.

Conditions:
This occurs when changing the baud rate using the AOM command menu.

Impact:
The incorrect baud rate might be shown.

Workaround:
Restart fpdd using the command 'bigstart restart fpdd'.

393150 : 42k item configuration and loading on 8 GB platform

Component: TMOS

Symptoms:
When loading a configuration with 42,000 items or more on a system with 8 GB of memory, you may experience up to 45 seconds of extra load time.

Conditions:
This occurs with a 42,000-item configuration when loading on 8 GB platform.

Impact:
You may experience up to 45 seconds of extra load time.

Workaround:
To avoid this extra time, you can issue the following command before loading: 'tmsh modify sys db provision.extramb 512'.

392255-1 : tmm core or apmd core on session information

Component: Access Policy Manager

Symptoms:
Under high load and in deployments where users logs in and logs out pretty frequently, APM crashes intermittently. This was happening as APM was trying to free a already freed session DB entry. This fix resolves the double free issue.

Conditions:
This can occur while processing normal traffic with APM configured.

Symptoms:
On 12050/12250 (D111) and 10350N (D112) platforms, setting the db variable platform.powersupplymonitor to disable might not stop power supply error messages on power supplies that are connected but not turned on.

Conditions:
This occurs on BIG-IP 12050/12250 (D111), 10350N (D112), and 10000s/10050s/10200v/10250v (D113) platforms on which platform.powersupplymonitor is set to disable.

Impact:
The power supplies in the system that are not turned on might log error messages until power is removed.

Workaround:
Remove power on disabled power supplies.

389328-1 : RSA SecurID node secret is not synced to the standby node

Component: Access Policy Manager

Symptoms:
When RSA SecurID node secret files are created on the active node, the files are not synced to the standby node. As a result, user will not be able to log on after switchover.

Conditions:
RSA node secret files are created on the active node after the first successful authentication.

Impact:
Service will be inaccessible after switchover.

Workaround:
1. Copy node secret files /config/aaa/ace/Common/<rsa_securid_aaa_server>/sdstatus.12 and /config/aaa/ace/Common/<rsa_securid_aaa_server>/securid from the active node to the same directory on the standby node.

Symptoms:
The parameter names are not displayed in the Advanced Extractions, Allowed URLs, and other screens.

Conditions:
This occurs when viewing Advanced Extractions

Impact:
This is a cosmetic issue in the GUI

386675-3 : rewrite plugin crash

Component: Access Policy Manager

Symptoms:
Certain headers can trigger a rewrite plugin crash. Errors in the rewrite log have this signature: "ERROR Occured with operation: tm_abort"

Conditions:
Access Portal configured with rewrite in use.

Impact:
The rewrite plugin can crash. Access traffic disrupted while it restarts.

386644 : B4300 blade may fail to join the cluster and reboot continuously

Component: TMOS

Symptoms:
When a B4300 blade is inserted into the VIPRION 4800 8-slot chassis, the blade fails to join the cluster and reboots continuously. This occurs because the VIPRION 4800 chassis only support blades running BIG-IP 11.3.0 or later software.

Conditions:
This issue occurs when the blade boots to a boot location that contains software that is earlier than BIG-IP 11.3.0.

Impact:
As a result of this issue: -- The blade fails to join the cluster with multiple daemon cores and restarts. -- The BIG-IP LTM log contains messages that indicate that the mcpd process on the adjacent blades cannot be contacted and the newly added blade isolates itself as a primary blade. -- The blade reboots continuously.

Workaround:
Before removing a B4300 blade from a 4-slot chassis to insert into an 8-slot chassis, first ensure that 11.3.0 (or later) is the only software installed on that blade. For more information, see SOL14255: The B4300 blade may fail to join the cluster and reboot continuously, available at http://support.f5.com/kb/en-us/solutions/public/14000/200/sol14255.html.

385890-1 : tmm core

Component: Local Traffic Manager

Symptoms:
In rare cases tmm can core during normal operation with an HTTP profile in use.

385345 : DHCP not supported on VIPRION platforms, but the system does not prevent its configuration, in pre-11.4.0 releases.

Conditions:
This occurs on VIPRION systems. In pre-11.4.0 releases, the system did not prevent its configuration. Post-11.4.0, there is no option to configure it. However, it is still not supported.

Impact:
DHCP is not supported on VIPRION systems, but the system does not prevent its configuration in pre-11.4.0 versions.

Workaround:
None.

385143 : AVR does not comma-separate fields

Component: Application Visibility and Reporting

Symptoms:
When AVR remote logging is set for short messages (without description), comma is missing between few fields.
It is easy to distinguish these fields since they are enclosed with (")

Conditions:
DB variable md.showexternalloggingdescription is set to 0

Impact:
AVR does not comma-delimit the statistics.

Workaround:
If you are encountering this you can set md.showexternalloggingdescription to 1

384995-1 : Management IP changes are not synced to the device group.

Component: TMOS

Symptoms:
A device group shows a device as offline when it was previously working, and the device's management IP address has recently changed.

Conditions:
When the management IP is changed on a device in a trust domain, it is not updated in the device group even though its config sync IP is a SelfIP and config sync continues to work. Other devices show it offline under Device Management :: Devices.

382052-1 : High memory usage when ssl profiles are in use

Component: Local Traffic Manager

Symptoms:
If you have one or more ssl profiles attached to virtual servers configured with peer-cert-mode set to Require, the certificates will be stored in memory and can consume a lot of system memory.

Conditions:
This can occur if a client or server SSL profile is configured with eer-cert-mode set to require (Client Certificate set to "Require"), and SSL session caching is enabled.

Impact:
High memory usage by the ssl profile(s).

Workaround:
If you do not require client certificates to be presented, you should disable this setting.

381258-2 : 'with' statement in web applications works wrong in some cases

Conditions:
If the JavasScript operator 'with' is used in web-application code and, if after rewriting, 'F5_ScopeChain' is found within the 'with' statement in these contexts:

...F5_Inflate_xxxxx(F5_ScopeChain,...

...F5_Deflate_xxxxx(F5_ScopeChain,...

...F5_Invoke_xxxxx(F5_ScopeChain,...

then there is probability of this issue.

Impact:
Web-application functionality.

Workaround:
As a workaround, an iRule can be used for changing an 'interesting' variable name within the function's body. No general iRule exists. For each case, a custom iRule must be created as workaround.

379236-1 : TMM process may core while using the COMPRESS::nodelay iRule command to process traffic

Component: Local Traffic Manager

Symptoms:
TMM process may core while using the COMPRESS::nodelay iRule command to process traffic. As a result of this issue, you may encounter the following symptoms:

-- A TMM core file generated at the time of the crash in the /shared/core directory.
-- The BIG-IP system may log SIGSEGV to the /var/log/tmm file.
-- The BIG-IP system temporarily fails to process traffic.

Conditions:
The COMPRESS::nodelay iRule command prevents the compression buffer from delaying the delivery of data to the client. This iRule command is useful in situations where you require the HTTP servers to stream dynamic information to the client in a single HTTP transaction through the BIG-IP system without having to disable HTTP compression.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
To recover from this issue, you can remove the COMPRESS::nodelay iRule command from the affected iRule. To do so, perform the following procedure:

376000-3 : Uploading files through APM portal access sometimes fails

Symptoms:
Sometimes uploading files when accessing a web application using APM Portal Access mode could fail. This includes sending an email message with an attached file using OWA.

375887-1 : Cluster member disable or reboot can leak a few cross blade trunk packets

Component: Local Traffic Manager

Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.

Conditions:
This occurs on a trunk that spans blades.

Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Symptoms:
A device in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
If a Device Service Cluster is configured with only self-IPs for unicast network failover communication, or if the management network between the peers is unavailable, the device may not detect that the peer is active when it is starting up. When using only self-IPs, communication with the peers is disrupted while the TMM is starting up.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.

372332-2 : Unnecessary buffering of client-side egress in some circumstances.

Component: Local Traffic Manager

Symptoms:
BIG-IP can perform unnecessary buffering of client-side egress in some circumstances. This can cause a tmm crash on out of memory. Analysis of the core by support indicates that the system has run out of memory.

Conditions:
It is not known what triggers this event to occur but it has been observed when modules like APM and ASM are enabled.

Symptoms:
When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt.

Impact:
System restore initiated without prompt when run as a resource administrator.

Workaround:
None.

366011-1 : ---

Component: Application Security Manager

365764-1 : Loading UCS with no custom partition fails on system with GTM objects defined in custom partition

Component: TMOS

Symptoms:
Loading a UCS with no custom partition in it fails on a system that has any GTM objects defined in a custom partition.

Conditions:
This applies when a GTM configuration exists in a custom partition.

Impact:
Requires manual intervention to load a UCS archive.

Workaround:
To work around this issue, delete all GTM objects in a custom partition prior to loading a UCS using a command similar to the following: rm -f /config/partitions/partition_name/bigip_gtm.conf. Then load the configuration using a command similar to the following: tmsh load sys config gtm-only partitions all

Symptoms:
On the System :: Preferences screen, changing 'Idle time before automatic logout to any non-default value causes the CPU usage to increase.

Conditions:
Changing 'Idle time before automatic logout to non-default.

Impact:
CPU usage increases.

Workaround:
To work around this issue, the iControlPortal.cgi processes by running the following command: killall iControlPortal.cgi. For more information, see SOL13679: The BIG-IP system fails to shut down the iControlPortal.cgi process when the 'Idle time before automatic logout' setting is modified, available here: http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13679.html.

362619-1 : Memory leak in rtstats (real-time statistics) process

Component: TMOS

Symptoms:
When end-users open the Dashboard (statistics GUI) rtstats memory size will continuously grow. This memory is not released when the Dashboard is closed.

Conditions:
The process leaks only when end-users have the Dashboard (GUI) open.

Impact:
Leak can lead to out-of-memory condition.

Workaround:
Avoid use of Dashboard (statistics GUI). Most statistics can be gleaned from other locations in the GUI or via tmsh.

Symptoms:
If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades cannot use this address and issues an error message. This is correct operation.

Conditions:
System is configured with per-blade management addresses as unicast network failover addresses.

Impact:
The system posts error messages that appear severe. However, there is no impact to system functionality.

Workaround:
No workaround is needed (under these conditions, message is cosmetic), but the use of multicast failover avoids the messages.

359774-3 : Pools in HA groups other than Common★

Component: TMOS

Symptoms:
In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails.

Conditions:
HA group pools in administrative partitions other than Common.

Impact:
Upgrade fails.

Workaround:
None, except ensuring that all pools used in HA groups exist in the Common administrative partition.

354406-2 : APM access policy on SNAT pool

Component: Access Policy Manager

Symptoms:
When a virtual server is configured to use a SNAT pool for doing source NAT of the traffic between the virtual and backend servers, if one of the IP addresses used in SNAT pool is a self-IP, the access policy does not work for the virtual server.

Conditions:
SNAT pool contains a selfip address

Impact:
Access policy fails, client is unable to connect.

Workaround:
Ensure the SNAT pool does not have a selfip address in it.

Symptoms:
If an HTTP client sends a request with a body, and there is a pipelined request following it, and there is an iRule performing an HTTP::collect, then the HTTP::payload command may include data from the following requests.

Conditions:
HTTP client request followed by pipelined request with iRule.

Impact:
HTTP::payload command may include data from the following requests.

Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.

Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.

To enable or disable a Wide IP, you can either enable/disable through the Wide IP List page in the UI: Link Controller :: Inbound Wide-IPs :: Wide IP List or through tmsh:
"modify gtm wideip <wideip name> enabled"

337934-8 : remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly

Component: TMOS

Symptoms:
The remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive.

Conditions:
remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'.

Impact:
Parsing truncates attributes.

Workaround:
Do not use remoterole configurations in which one of the attributes ends in 'role' or one that ends in 'deny" that has a deny directive.

224903-2 : CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.

Component: TMOS

Symptoms:
CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.

Conditions:
CounterBasedGauge64 MIB values.

Impact:
CounterBasedGauge64 MIB values do not work with Network Management Systems.

Symptoms:
The persist cookie insert and persist cookie rewrite iRule commands fail to set session cookies when the expiration time is not explicitly listed.

Conditions:
When invoked with no additional arguments, the persist cookie insert and persist cookie rewrite iRule commands should set a session cookie. However, due to the issue described in this article, the iRule commands set a cookie that expires after 180 seconds.

In versions prior to 11.3, the same issue also occurs if the aforementioned iRule commands are invoked with the 0d 00:00:00 optional expiration argument, which tells the BIG-IP system to set a session cookie. 11.3 and above interpret an expiration argument of 0 correctly, and set a session cookie.

Impact:
TMM sets a cookie that expires in 180 seconds instead of a session cookie.

Workaround:
In 11.3 and above, explicitly specify a 0 for the cookie timeout in the iRule. In previous versions, set the persist profile timeout to 0.

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade